Windows Analysis Report
Document.one

Overview

General Information

Sample Name:	Document.one
Analysis ID:	800794
MD5:	7868568c73def3f22ef86f5a41c82c60
SHA1:	2d00a6ed48ed43edd6ab2b3babaccd8eeee431c3
SHA256:	959cc3ff94aaa54d34ac9877b2ef088298d01b4c19b2a3cf628a10a1b518cba3
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (process start blacklist hit)

Stores files to the Windows start menu directory

Creates a start menu entry (Start Menu\Programs\Startup)

Classification

Signatures

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{0B9D4D20-744C-4FD4-9D10-2EE4FBDC4043} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: sus21.expl.winONE@3/68@0/1

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Document.one
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{51612F47-5FDF-4C21-8F3D-C5552844386C}

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process information queried: ProcessInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

ID:	800794
Product:	CloudBasic
Start time:	19:54:52
Start date:	07.02.2023
Sample:	Document.one
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	7868568c73def3f22ef86f5a41c82c60
SHA1:	2d00a6ed48ed43edd6ab2b3babaccd8eeee431c3
SHA256:	959cc3ff94aaa54d34ac9877b2ef088298d01b4c19b2a3cf628a10a1b518cba3
Filetype:	Microsoft OneNote note (16024/2) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators	5D1E1505BD5216805FC6CD14E0D90986	E7B0BC349EEA8222615174155407932A1E363DA0	69588BD4887C59630856C985606BEC0096DF05563DADE1A896A79D1DA32B1354
C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2	F138A66469C10D5761C6CBB36F2163C3	EEA136206474280549586923B7A4A3C6D5DB1E25	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-journal	SQLite Rollback Journal	9B9CC11AABA7C5F44B334E87BCEA0198	16F31061A3B4D2B17150A39C4218A146C9104602	DDB87B13683245F7659D16497AD0A78F37374F2DF3393B0625C57F9EF24025CF
C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm	data	4934C827ABE9985FCF53B7153A3754A3	F080A6D2D58448282AD43067ABD89F0CE908D6AB	187E98CB8D9C48C4E4B6C86AFEBB70E815B5E85716FC2B60D3C3E918F63F91B9
C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal	SQLite Write-Ahead Log, version 3007000	C43BDA94B92EBE349DBCB061528E139D	570A11984370800498A9942D1ED7CF956CE7BF70	3C6C8AA80F80F6CFAC6A888FB9B6DA9EA1464E4156045D2EBD002A06CDF18DF8
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header	Matlab v4 mat-file (little endian) \260\016, numeric, rows 1020487318, columns 0	737CFCFEC7F54ABA0324F727E356DB64	57ADC85C2BCEEE5B96DEA6410DACC89F18846091	84BE50A215052A9CA92D77DFB99037DC9DB2481CBE897282AB09B263AF3CF48D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	C2BF462C1311A92660999498F29394BD	4BD7C156F172C1114F33D80BAB05252C9F8E87C0	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin	ASCII text, with very long lines (368), with no line terminators	1140A342E3787033A400F7ED6340690A	D2457ECB943574BA3AE89470166C00FCEE223CEC	4AD31742913747713CE85004B54F47DB40C0A57ACE18609808ED8376F772A78F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin	GIF image data, version 89a, 1012 x 327	B035F23C68CC9673E604FE5472F223D2	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Temp\{0D50DF9D-C835-4FEC-8856-2AF165CAA92D}.bin	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Temp\{0E6DBBBF-A3C0-48DA-BED3-C8930739DF0B}	data	5E447999048819F05DFC78FE794920A2	48FFA594E00E5315F2BC4DD58049AFAB81C8C137	0447F15BF5CEF2E4435722588AA035CE4E079134D94BF5190EBA957DEF83A8C1
C:\Users\user\AppData\Local\Temp\{187023B7-C9CC-4BD0-87B3-E472F3855AA3}	data	F19F689A32E6D2010444E793794F66A7	D20B7FFE87753BAEE58E4DA76F8A9AD9F7B34CE2	E5F1E47A4D385C7430FC69B9797EE651D2CF4DB7F41FD392F52D7761CAA44F2A
C:\Users\user\AppData\Local\Temp\{1BA8BC9F-BAF0-4471-A68C-831394576820}	data	68747303C1DC2B19F97EA3715CDFCAD9	447AC5C077F5A4A85CE4BFAD83217D6D36C25CF9	6C577B0BC8BDCC7B5ACCCB30733149F2D52563B9E3CB5CFCC9732ABC1538E501
C:\Users\user\AppData\Local\Temp\{205FB1FA-EB16-43F2-86C5-B07E9A12980B}	data	05A5661A4A7553AA126B748DD8FDD44E	82C8755401677CD1F085D7C1AE0F0F5F363C1EC8	0E1D61621A51875AC4C411D15ABFA65BFE14DB7F6A862F4CFC6C375023B00B00
C:\Users\user\AppData\Local\Temp\{2265CAC3-1A5D-4C48-AF94-A71BBEC89222}	data	0A6C634125B0B947848B9E24DBDF019E	12E68057CEEAA36A8F26A6A7174DA89284C9CAA8	CFDCFB1A545BF6051EBF74E97080B257EDF26CF792FB67C5542EA24E1AAB2395
C:\Users\user\AppData\Local\Temp\{4DA24EBA-9C29-4348-81D5-F33931C2288D}	GIF image data, version 89a, 1012 x 327	B035F23C68CC9673E604FE5472F223D2	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
C:\Users\user\AppData\Local\Temp\{4E5BA980-837E-4313-A9E6-0E99A903959D}	data	632A2B7ED2B01BA939FC363335037014	5DBCCC98DE406BCEB6006CEA0B908FCAF0505899	D2F6500A04BC6A86443FB5909AAC484C56ADF8E0F854890BB8D31A5096769C61
C:\Users\user\AppData\Local\Temp\{513AB815-F377-4589-AAE3-880D93915B90}.bin	GIF image data, version 89a, 1012 x 327	B035F23C68CC9673E604FE5472F223D2	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
C:\Users\user\AppData\Local\Temp\{5201C174-E8AB-444C-BF8B-A9E7BC2A638A}.bin	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	C2BF462C1311A92660999498F29394BD	4BD7C156F172C1114F33D80BAB05252C9F8E87C0	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
C:\Users\user\AppData\Local\Temp\{5F8474AE-5559-4496-8704-47ADE4570097}	data	1DF885C0EB076A1C9D67B42859174E87	5A3F14DED92168E748915C3DDE9A9A757D140F3E	3F59B3A4E3AFC8D7BFB9C99FD04BBFC9B8F874DEA8600B1DC327A4A9FE2FA339
C:\Users\user\AppData\Local\Temp\{5FCF2F4B-1582-4C30-9102-96D683F264EC}	data	55BE247CCC557474E863729253EB709D	8E976D1D68AFC2AA68BB9F773F804B6307DFE145	275CEC341C97F10592FD547626C26115BE90DA5DAC8C60E3D400F6AFAF9D92D7
C:\Users\user\AppData\Local\Temp\{635EAFCC-6A0E-4E2D-B0DE-2088BE0F8754}	data	C72737FB40ADFF11D235E26DBFE57B9E	56875EEF5089E636DFB91787DA9D02223DF70603	4374AF578DEB76BBA78C42A1B3618A01406DB05F327CBD7E282E38525231EF5D
C:\Users\user\AppData\Local\Temp\{68535A9E-EB0C-4B6A-BC04-E37534063832}	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Temp\{7DFF42B6-807C-4DE3-AA08-4D6D60B3BB7A}	data	203CCDB6060C70DBC2F45584E92C5A2C	5F0DFC1B6A6F9FFDD1284886A8758BBDAB0353E3	CA43FF6E63B7D9306B6FE2B3714932A6289B90763F408A70397B002424F85719
C:\Users\user\AppData\Local\Temp\{833BBCE8-1CE5-4A33-BE2D-894EF53FEE46}	data	F40670E09B58D3C9A8CF1168B26CE5D0	16F2E52E33CA5CDCF317D82CC405B368535008B3	6DFEE020D59E06A7B8C54E78E1C733BA4238D92406153D3E542D2680F6FAFBC7
C:\Users\user\AppData\Local\Temp\{83BA6D36-2196-4487-BAAD-FE15AF122565}	data	4DF88BA9B9607A9394AE5F72A0879C91	D8359F68E0C5402FB08EBE26696E58D0CE7140A9	B4A0381707BA3454E57718F6A9394C322CE79119181B9D2E90103DF0B1E7132F
C:\Users\user\AppData\Local\Temp\{84E57D09-8B97-4380-A709-DC32BEADCF99}	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	C2BF462C1311A92660999498F29394BD	4BD7C156F172C1114F33D80BAB05252C9F8E87C0	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
C:\Users\user\AppData\Local\Temp\{A4601116-8B1A-4987-B1F8-2B503864EECB}	data	68353E08CBC0120FD8441CDA00DC9136	A920C60792ED6919655049F909DFCFAFD040E2F8	C73D1946BD516D82753652AD897E85F8B0B01BFA4B6911DF363FFC49F363901D
C:\Users\user\AppData\Local\Temp\{B24949E5-A304-4FCD-B0D4-30209C2F9A45}	data	E10CA59826327D039E2C00FF046115ED	718FB394CB1FD94E08A62C749456E3C9DFB52DD2	9D1965708E9DCF6D2661B4A650BA2EA791DC043BF3C8B91B0B1D20D12CF4D173
C:\Users\user\AppData\Local\Temp\{B59A9D2C-ED1E-47F4-90E0-3645E63DAE20}	data	BE783F81FFDB6028B599A836D298685D	652D7DF2423DA0E95FEE8E8BEE575C6774569F06	66A3A5741668218DC87CFE8F06EE4EE73203A661A6F88D7741C38EAD9170FB88
C:\Users\user\AppData\Local\Temp\{B9F8FA1C-06B0-4354-A382-C78BC6DC2478}	data	0A0C1354AA1212481E716D634D8C5878	32018C653F9A349C4B259A19445422EF34237DF0	6BA50C45A77A4F4785368737D7DC2995D08FC12DA993FEFD94D43BCCB398FDC7
C:\Users\user\AppData\Local\Temp\{BA1C306D-67E6-4B43-AD43-E1D2155CD557}.bin	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Temp\{C24A363B-3F25-4D78-8D62-A8644C199A19}	data	6E77F23C9450A156E91D49FB491A841E	92CD8EA78C82AB46B36DF9B74FDCA841D52FAE9E	99AA3E17DAA3020F270A9168B721FCCEA455EAD615ADB49CB1F4661689585737
C:\Users\user\AppData\Local\Temp\{CD7C088E-DA9E-48D5-AC09-A932818D0DA3}	data	5FE90EB46E917301653176B30F042C79	B71346A1A26B3816C4CCF3268192F08DF546B007	B7B110742EE2CAF742CF977D8F035EE25703373888C58EF2724EC12FAEEDBB48
C:\Users\user\AppData\Local\Temp\{E11D2A68-BD51-4949-973B-CAEBFA28AD85}	data	4FF65DC186D9B73A343F7D47364CC7DC	AD99ECE3104AFF7E92CE327876BDC9951EDB12E6	8462BA51B4DE52D880983D0095096A1F933530626F2302A8FC3E7644FD4F9196
C:\Users\user\AppData\Local\Temp\{E7C5C746-021A-4F24-ADB3-169DFED88711}	ASCII text, with very long lines (368), with no line terminators	1140A342E3787033A400F7ED6340690A	D2457ECB943574BA3AE89470166C00FCEE223CEC	4AD31742913747713CE85004B54F47DB40C0A57ACE18609808ED8376F772A78F
C:\Users\user\AppData\Local\Temp\{F8DE737E-2360-4149-A1ED-C6862E3AF421}	data	BEA2811DDD8C7066BEA3FB725C31F705	00F9800BDF149F58EFE8D79FB3A280DABAAD68CF	C9DC0FFBB27E95B9909C6DBB20A905269E88A3A0637CB9BE9D9B01CBDF843C80
C:\Users\user\AppData\Local\Temp\{F9CD84DB-A8AC-453A-8744-5110815F8CDD}	data	F08CF419BE3E7B3B7BDB679415038A6C	31F6AB8CC03CF971AD73E1D2E6E1C7958B55D29B	CC705961B177C476D7205DA400B11A50C36B9E922E1A0FE131FF4EA9554CF860
C:\Users\user\AppData\Local\Temp\{FD695529-50F6-4272-BBEC-9EF941B30B5C}	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Open Notebook.onetoc2	data	659EA1E4D8F572A5D0E78C1A2E22E60C	5B76FBC2FA3FE35E5FF6C8CA4FF565112471968B	0D885EAC6AAEF77D4927E23BC01277F7528D36F0FFA2B2AACB84A88D73594B26
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\Open Notebook.onetoc2	data	E9144194DF9D03CD88ECB8D437DECC98	6136FF0DC91A2A772CE16C95E03A78A9B71DD044	30170E5A4AA8AFDD6B76C6C4C6680DEFA26C096D973BD9C24F861F19DF4F7FC9
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Open Notebook.onetoc2	data	D20204DF30178836C13C638679C16303	5333FF18AF08A60621AF422B1351F3FE7681B0AD	EBE737A392762837CE0633EF33B20859F972CDB72050CB712C97D72EDC6BF9CC
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\Open Notebook.onetoc2	data	ACECAE6354DC82AFBBE3E75700BD0E0A	8EF9B78C7522372B24C0B196DACF2794EC980A04	363B44EEDCF3EE21A2A35B6E26398E345F2DD6F10AD2DAECFF21B257A4FB1CC2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\Open Notebook.onetoc2	data	58E76E76ABE2A3CEC5C54F05BC5005D8	DDB892872D56E167DFA25D93640EA85CE0B0EB88	691E234C92E5A1D1983400590952D25373EE9B973716858C1CA387F71CE80FA5
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\Open Notebook.onetoc2	data	425BCC2A11D19DE963E788AE79F6AA36	8DF362B0085C6F95B573E8B870229D2D58A70FDD	4BEB491962734AFC35D07BBD5F538493ECC35B8E7928F03E017D8F3512781EC2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\Open Notebook.onetoc2	data	0B04106B1A55DFEAA22056FD55A1E0A3	9F2706AAAF7367597C748BF6AF7AA825FCFD992F	1B7CC7DA2B43D20E0E0457954E38010961B9928BF0759C2DB5F997BE63E4FDBA
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\Open Notebook.onetoc2	data	7FF9D3BF9E5CE5CE8ABB331F88EB5BBC	A026240F22643989C7FC720D5302604C0F9174CC	8C4EE3EB8E7C46072DB2D04E9AC26BF9A45FB6CBD3FE4CE306256B045F27E8C6
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Open Notebook.onetoc2	data	1BEEB2070181E82B4807260CCC8DA9A1	8DF1E4FDF00512A2BF9A289ABC77030AAFBF226A	4272990B7882EA2A5797960DDADA3F57168B45493C68F97F96A751BA304459B9
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\Open Notebook.onetoc2	data	835C5093CF48ED6C9B39071CA1596BA4	A3D40F2AF3DAA5123F497C369EC361BDB3370179	0C1FB390E9112159BFA7EE1ABD840EEF560978DF6040B876181E98AD4EDDBD67
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\Open Notebook.onetoc2	data	3D4CA7A949E50D899E6B3D46C1FC8693	DF1BC57389A71040256E86D98F762B88ABB788FA	AFD5C8807A8CD3D0D7A752C3534F337D9E38C3917ECCCD7F80A91E3BB3F7E679
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Open Notebook.onetoc2	data	2B3ADE400598710F2F7FBF4D3C86E319	48D7139D92F5F01E5BF18D7100D1F41393D6AF20	5BAAFDECEF19D9D51012CFB00E8FE9C8296CBB48C911F4FB7EB6AAC8069565C6
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\Open Notebook.onetoc2	data	F5E62A2CA7B5FF07FB7EB53014D54B26	00DB3F90D8B4F7A60867955FF6C21A27EB94FF8D	EBCD1552B9E817EEF8C2602C0F0A2FFEE2AD0B1E32FC4C3629335084D1BF17CC
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\Open Notebook.onetoc2	data	AE8D4280400213C2858CE083D95F9C19	192C9A8E19FF46234DFE4B4A8A485216AD92BE4C	1752EB124F09F84ED5655E517E439CB1695DCBC56D8483E01634F27E1B0091D7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\Open Notebook.onetoc2	data	445535EB41D7284D0EE8F26E7CA34819	27EACE75EA75A8BC8C7EEFAB71A11ACA242DD3B7	588F0080CFE15D736029BB10122CE0DCC0DA074D9784DA76AB4985F41E8DC981
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\Open Notebook.onetoc2	data	66DD3F9AC1E385E504F2EC3056200098	64E813C5824B1B0E6DCDD15D150DF26CAB6BB859	08EF780269CA50DAD91C697B8D465F5FAB6906F5AC0DD9D5A2B78252C10C930D
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\Open Notebook.onetoc2	data	C71590975AF7B292564958D996F9EAC6	B653E796F7B49F417CC6CB7ACFDE936FCF327917	8A77559F11F07D6CB8B744B601F710110E80A1114CCE16FBE70E16440510DC3E
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Open Notebook.onetoc2	data	48FA1680E67BC238E0BDCCA7B49FCEBD	6BC3608E0E0072B4B546C994304B040605945899	BDF719594A063337AE7340E21A16D900A77F505906240793386DF431EFB2EF92
C:\Users\user\AppData\Roaming\Microsoft\Templates\Open Notebook.onetoc2	data	A7F5D11AE6EBCA29282BA5FF906810FE	FDF6AB8EF4144E312D753458A7727DF487B1813F	D49D3895056D40880671DC65622015B804E7F536737D7953D4A017101207E495
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms (copy)	data	4BE7CF0E3EEC84C805DACAC503592E2A	56431F009106408779A9AC1EA1AD1C74FE8B82CD	CE4F4A50E3ABE08F7A279779BA4A46EC7C5576A138A8E806B709DDF67846517C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms~RF3dc76.TMP (copy)	data	4BE7CF0E3EEC84C805DACAC503592E2A	56431F009106408779A9AC1EA1AD1C74FE8B82CD	CE4F4A50E3ABE08F7A279779BA4A46EC7C5576A138A8E806B709DDF67846517C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GSW8AE0M5519PXI4POU4.temp	data	4BE7CF0E3EEC84C805DACAC503592E2A	56431F009106408779A9AC1EA1AD1C74FE8B82CD	CE4F4A50E3ABE08F7A279779BA4A46EC7C5576A138A8E806B709DDF67846517C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O01AHY6Q5IAUOAOC7SBE.temp	Matlab v4 mat-file (little endian) \253\373\277\272, sparse, rows 1, columns 0, imaginary	4FCB2A3EE025E4A10D21E1B154873FE2	57658E2FA594B7D0B99D02E041D0F3418E58856B	90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, Sparse, ctime=Thu May 27 16:03:55 2021, mtime=Tue Feb 7 17:57:17 2023, atime=Thu May 27 16:03:55 2021, length=179528, window=hide	050EBB398D25610EBC052C6793AB914E	BD2C1F3C4D8A833337F42AE0FB2D452D4EB9CF7C	95D325BC0C9C746083AB5259EECD312F4F5F60C07C18901C78B1C4453FD447BB
C:\Users\user\Desktop\Document.one	data	401006DF171CBE1E8FA1DDF2A6841B41	2BF2D76A9D726B4BB5627F78FA48383A37A3DE23	90C79CDCA812A02CFB47C42F89C20BAECB391C42845CA0D403DA7DF21CF5A875
C:\Users\user\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2	data	6866679CB79DAF70306C8740B639EB43	2805B0647784E42D800E23A8FFA0B608D89BFFD9	EB9658BF36E22FBF8E38CF5C8DB8838BB4B4E2BCA8BE81E60891D3D4CBCF8D1A
C:\Users\user\Documents\OneNote Notebooks\My Notebook\Quick Notes.one	data	6138CAE01B8751BFB32E8B762C66C1A3	98A6CDDF913E3EA15C8E87320CD6DA63437B020E	E72543A3D199C3BAB05C723B3C31CBD2F5BFF129C6C5F39CB4CFE5EBA943106D

Windows Analysis Report
Document.one

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report Document.one

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
Document.one