ID: 330706 Sample Name: RFQ0270004296- PR0720001831-Grasp Trading Pvt. Ltd.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 14:51:31 Date: 15/12/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 12 General Information 12 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 14 Domains 14 ASN 14 JA3 Fingerprints 14 Dropped Files 14 Created / dropped Files 14 Static File Info 16 General 16 File Icon 17 Static RTF Info 17 Objects 17 Network Behavior 17 UDP Packets 17 Code Manipulations 18 Statistics 18 System Behavior 18 Analysis Process: WINWORD.EXE PID: 896 Parent PID: 792 18 General 18 File Activities 18 File Created 18 File Deleted 19 Registry Activities 19 Key Created 19 Key Value Created 19 Copyright null 2020 Page 2 of 23 Key Value Modified 21 Disassembly 23

Copyright null 2020 Page 3 of 23 Analysis Report RFQ0270004296-PR0720001831-Grasp …Trading Pvt. Ltd.doc

Overview

General Information Detection Signatures Classification

Sample RFQ0270004296- Name: PR0720001831-Grasp Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… Trading Pvt. Ltd.doc Multi AV Scanner detection for subm Analysis ID: 330706

MD5: bc49a53c0d2cc2…

SHA1: af1a5a8bd6ec0db…

SHA256: cbddb3f410205c2… Ransomware

Miner Spreading Tags: AZORult doc

mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Score: 48 Spyware Trojan / Bot

Adware Range: 0 - 100 Whitelisted: false Confidence: 100%

Errors Corrupt sample or wrongly selected analyzer.

Startup

System is w10x64 WINWORD.EXE (PID: 896 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 23 • AV Detection • Networking • System Summary • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS File and Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Directory Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization

Behavior Graph

Copyright null 2020 Page 5 of 23 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Behavior Graph Is Windows Process ID: 330706 Number of created Registry Values Sample: RFQ0270004296-PR0720001831-... Number of created Files Startdate: 15/12/2020 Visual Basic Architecture: WINDOWS Delphi Score: 48 Java

.Net C# or VB.NET

C, C++ or other language Multi AV Scanner detection started for submitted file Is malicious Internet

WINWORD.EXE

45 39

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 23 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc 41% Virustotal Browse RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc 42% ReversingLabs Document- RTF.Exploit.CVE- 2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe

Copyright null 2020 Page 7 of 23 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://ncus-000.contentsync. 0% URL Reputation safe https://ncus-000.contentsync. 0% URL Reputation safe https://ncus-000.contentsync. 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe

Copyright null 2020 Page 8 of 23 Source Detection Scanner Label Link https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://api.diagnosticssdf.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://login.microsoftonline.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://shell.suite.office.com:1443 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://login.windows.net/72f988bf-86f1-41af-91ab- 642DB9F0-F259-4E8F-8B55-BD1487 false high 2d7cd011db47/oauth2/authorize 123D3C.0.dr https://autodiscover-s.outlook.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 123D3C.0.dr rowse?cp=Flickr https://cdn.entity. 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://api.addins.omex.office.net/appinfo/query 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://wus2-000.contentsync. 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe 642DB9F0-F259-4E8F-8B55-BD1487 false high https://clients.config.office.net/user/v1.0/tenantassociationkey 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ 123D3C.0.dr https://powerlift.acompli.net 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://rpsticket.partnerservices.getmicrosoftkey.com 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://lookup.onenote.com/lookup/geolocation/v1 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://cortana.ai 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe 642DB9F0-F259-4E8F-8B55-BD1487 false high https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/get 123D3C.0.dr freeformspeech https://cloudfiles.onenote.com/upload.aspx 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://syncservice.protection.outlook.com/PolicySync/PolicyS 123D3C.0.dr ync.svc/SyncFile

Copyright null 2020 Page 9 of 23 Name Source Malicious Antivirus Detection Reputation https://entitlement.diagnosticssdf.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://na01.oscs.protection.outlook.com/api/SafeLinksApi/Get 123D3C.0.dr Policy https://api.aadrm.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://ofcrecsvcapi-int.azurewebsites.net/ 642DB9F0-F259-4E8F-8B55-BD1487 false Avira URL Cloud: safe unknown 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://dataservice.protection.outlook.com/PsorWebService/v1 123D3C.0.dr /ClientSyncFile/MipPolicies https://api.microsoftstream.com/api/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://insertmedia.bing.office.net/images/hosted? 642DB9F0-F259-4E8F-8B55-BD1487 false high host=office&adlt=strict&hostType=Immersive 123D3C.0.dr https://cr.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://portal.office.com/account/?ref=ClientMeControl 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://ecs.office.com/config/v2/Office 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://graph.ppe.windows.net 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://res.getmicrosoftkey.com/api/redemptionevents 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://powerlift-frontdesk.acompli.net 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://tasks.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://officeci.azurewebsites.net/api/ 642DB9F0-F259-4E8F-8B55-BD1487 false Avira URL Cloud: safe unknown 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://sr.outlook.office.net/ws/speech/recognize/assistant/wor 123D3C.0.dr k https://store.office.cn/addinstemplate 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://wus2-000.pagecontentsync. 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://outlook.office.com/autosuggest/api/v1/init?cvid= 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://globaldisco.crm.dynamics.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/g 123D3C.0.dr etfreeformspeech https://store.officeppe.com/addinstemplate 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://dev0-api.acompli.net/autodetect 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://www.odwebp.svc.ms 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe

https://api.powerbi.com/v1.0/myorg/groups 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://web.microsoftstream.com/video/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://graph.windows.net 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://dataservice.o365filtering.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://officesetup.getmicrosoftkey.com 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://analysis.windows.net/powerbi/api 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr

Copyright null 2020 Page 10 of 23 Name Source Malicious Antivirus Detection Reputation https://prod-global-autodetect.acompli.net/autodetect 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe 642DB9F0-F259-4E8F-8B55-BD1487 false high https://outlook.office365.com/autodiscover/autodiscover.json 123D3C.0.dr https://powerpoint.uservoice.com/forums/288952- 642DB9F0-F259-4E8F-8B55-BD1487 false high powerpoint-for-ipad-iphone-ios 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/get 123D3C.0.dr freeformspeech 642DB9F0-F259-4E8F-8B55-BD1487 false high https://pf.directory.live.com/profile/mine/System.ShortCircuitPr 123D3C.0.dr ofile.json https://onedrive.live.com/about/download/? 642DB9F0-F259-4E8F-8B55-BD1487 false high windows10SyncClientInstalled=false 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://webdir.online.lync.com/autodiscover/autodiscoverservic 123D3C.0.dr e.svc/root/ weather.service.msn.com/data.aspx 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://apis.live.net/v5.0/ 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://officemobile.uservoice.com/forums/929800-office- 642DB9F0-F259-4E8F-8B55-BD1487 false high app-ios-and-ipad-asks 123D3C.0.dr https://word.uservoice.com/forums/304948-word-for- 642DB9F0-F259-4E8F-8B55-BD1487 false high ipad-iphone-ios 123D3C.0.dr https://autodiscover- 642DB9F0-F259-4E8F-8B55-BD1487 false high s.outlook.com/autodiscover/autodiscover.xml 123D3C.0.dr https://management.azure.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://incidents.diagnostics.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://clients.config.office.net/user/v1.0/ios 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://insertmedia.bing.office.net/odc/insertmedia 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://o365auditrealtimeingestion.manage.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://outlook.office365.com/api/v1.0/me/Activities 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://api.office.net 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://incidents.diagnosticssdf.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://asgsmsproxyapi.azurewebsites.net/ 642DB9F0-F259-4E8F-8B55-BD1487 false Avira URL Cloud: safe unknown 123D3C.0.dr https://clients.config.office.net/user/v1.0/android/policies 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://entitlement.diagnostics.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json 123D3C.0.dr https://outlook.office.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://storage.live.com/clientlogs/uploadlocation 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://templatelogging.office.com/client/log 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://outlook.office365.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://webshell.suite.office.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 123D3C.0.dr rowse?cp=OneDrive https://management.azure.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://ncus-000.contentsync. 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://login.windows.net/common/oauth2/authorize 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown https://dataservice.o365filtering.com/PolicySync/PolicySync.sv 123D3C.0.dr URL Reputation: safe c/SyncFile URL Reputation: safe Copyright null 2020 Page 11 of 23 Name Source Malicious Antivirus Detection Reputation https://graph.windows.net/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://api.powerbi.com/beta/myorg/imports 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://devnull.onenote.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig 123D3C.0.dr .json https://messaging.office.com/ 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://dataservice.protection.outlook.com/PolicySync/PolicySy 123D3C.0.dr nc.svc/SyncFile 642DB9F0-F259-4E8F-8B55-BD1487 false high https://contentstorage.omex.office.net/addinclassifier/officeenti 123D3C.0.dr ties https://augloop.office.com/v2 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 123D3C.0.dr rowse?cp=Bing https://skyapi.live.net/Activity/ 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://clients.config.office.net/user/v1.0/mac 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://dataservice.o365filtering.com 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://onedrive.live.com 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr https://ovisualuiapp.azurewebsites.net/pbiagave/ 642DB9F0-F259-4E8F-8B55-BD1487 false Avira URL Cloud: safe unknown 123D3C.0.dr https://visio.uservoice.com/forums/368202-visio-on- 642DB9F0-F259-4E8F-8B55-BD1487 false high devices 123D3C.0.dr https://directory.services. 642DB9F0-F259-4E8F-8B55-BD1487 false URL Reputation: safe unknown 123D3C.0.dr URL Reputation: safe URL Reputation: safe https://login.windows-ppe.net/common/oauth2/authorize 642DB9F0-F259-4E8F-8B55-BD1487 false high 123D3C.0.dr 642DB9F0-F259-4E8F-8B55-BD1487 false high https://loki.delve.office.com/api/v1/configuration/officewin32/ 123D3C.0.dr

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 330706 Start date: 15.12.2020 Start time: 14:51:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 8s Hypervisor based Inspection enabled: false Report type: light Sample file name: RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0

Copyright null 2020 Page 12 of 23 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.winDOC@1/8@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.109.32.63, 52.109.12.24, 52.109.12.22, 23.210.248.85, 51.104.139.180, 92.122.213.194, 92.122.213.247, 8.253.95.120, 8.248.115.254, 8.241.11.254, 67.26.73.254, 8.253.207.121, 51.103.5.186, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): prod- w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.n et, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net Errors: Corrupt sample or wrongly selected analyzer.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

Copyright null 2020 Page 13 of 23 IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\642DB9F0-F259-4E8F-8B55-BD1487123D3C Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 130397 Entropy (8bit): 5.3769904605843735 Encrypted: false SSDEEP: 1536:ocQceNgrA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:xmQ9DQW+zBX8P MD5: D802AFF98E3D881E1D2DD147D575D662 SHA1: 5BF079270BCA60DFCF3E467768C29AD37BD24EAC SHA-256: BEB4B6A0D9CF7BC354C3D7AFBFD4136866E391CD479C03C93CFDD33D0FCE62FE SHA-512: 8BA7D5A73812A75FF446069A09B82F9A25332B823ED5B44A0D9C4F435A542EF82D9530516747663DF96E2535DCCD31CE0A0E0399D9FE95AE644875DEC5454DDA Malicious: false Reputation: low Preview: .... .. Build: 16.0.13611.30529-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{23242880-88E8-4DAC-A577-7B53FA014C3B}.tmp Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 9728 Entropy (8bit): 3.415681908549128 Encrypted: false SSDEEP: 192:CCmPGdGwB/8AjyiUFvmPLUsH3vIvScL4hxtSHwqMFUQAlakasOprfZFJiTO1i:WPGE9AjysgsXvIvMgHoUQhkas0rfZF4X MD5: 3D25404F32D145706491233990E0B58C SHA1: E67B55C882BBCD25A9A6480CBB4F1A91D8789AD2 SHA-256: FD91D85E1BB6D956A683CB9F4FC178EF3B6229A3BCC79050B2F98F3266C97F85 SHA-512: 7F177DBF4DBDBB9D733D7595423D1E1D460F8BA03637691EF0183B2AB5BFF3B6EFC1F432FCDE1996290CC875DFDC196ACC1AA766327931CAA1CFB8449AC9D4 06 Malicious: false Reputation: low Preview: |._.?.+.?.?.?.%.?.3.?.0._.].?.?.?.%.7.?.1...2...@.@.?...;.`.%./...].'.5.@[email protected].?.(.~.:.@./.%.!.@.#.8...$.:.?.~.%.?./.?.?.;.>.7.>.4.[.?.'.+.6.)...8._.?.=.2.(.*.?.#.&.+...>.&.~. 9.?.%.:.;.$.!.?.?.(.=.<.9.[.&.(.!.|.].|.&.-.=._.;.&.?.,.@.?.^.,.3.?.?.4.^.).,.....-.*.0.9.-.?.,.1.'.4.8.*.&...$.?...@.[.6.+.3...~.4.9.|.=.|.<.-._.?.-.5.*.2.!.2.[.+.|._.%.1./.*...6.].6.+.5.:.).?.%.6... (.`.).7.?.?...?...*.^.`...&.-.`.).3...4...>.<.2.3.&.;[email protected].<.,.4.?...`.*.[.%.~./.2.=.-.`.6.4.?.|.$.?.+.1.%.+.0.%.9...?.1.~.....$.?...2.9.&...1.?.0.+.:./.!.$.|.8.8.:.=.3.>...@...~.0.?.?.5.?. 3.^.&.>._.[.$.3.^...3.~.3.*.;.~.:.?.2.,.5...^.?.<.7.5.?...=...,.;.:...#.9.2.?.>./.&.;.]...]...:.,...?.#.[.6.5...[.<.-.?.&.`.2.?.6._.[.-.?.+./.,.4.%.+.8...<.).1.;.@.<.'.1.0...|.'.+.6._.,.%.3.,.(.1.'.~. ].+.,...`.?.`.*.0.,.7.(.?.@.[.~.$./.`.$.!.-.9.([email protected].;.7._...?.4.4.0.-.?...2.+.,.~.[...+.9.[.*.+.6.:.,.'.?.8.).?.?.3.3...-.-.6.2._.>.!.?.[.&./.(.;...'...6.[.%.(.?.^.>.?...4.*.?.%.'.-.-.?.;.=. 8.=.].@...&.(.?.=.)...=...3.2.

Copyright null 2020 Page 14 of 23 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9E758A0B-56B0-4E7A-B77F-C97B7D9558BE}.tmp Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 1024 Entropy (8bit): 0.05390218305374581 Encrypted: false SSDEEP: 3:ol3lYdn:4Wn MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA1: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28B A4 Malicious: false Reputation: high, very likely benign file Preview: ......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.LNK Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:06 2020, mtime=Tue Dec 15 21:52:27 2020, atime=Tue Dec 15 21:52:24 2020, length=1256325, window=hide Category: dropped Size (bytes): 2510 Entropy (8bit): 4.736689443000826 Encrypted: false SSDEEP: 48:8yKExNYIw2KmnyzpkB6pyKExNYIw2KmnyzpkB6:8hcqmnOpkKhcqmnOpk MD5: 6EB2B3C865BC6720A572F59096EE198D SHA1: 367BD1E0DB8FFD25E30AC3BEEEF509A381E7361D SHA-256: D35BD7795E5BB17E47C9D4753745FB80F57F2D0A6AEC8EBF206D78A2A362CC13 SHA-512: 365E9BD34862390A1C7B99D15D3DB0874A68A865F1BD7D9BDA6C126B25BFADC23E224468478A54D962911152305ED19DACFDB9883968D9037AB9C97B3D0E76A D Malicious: false Reputation: low Preview: L...... F...... d.}.8.....B.4...ANI.4....+...... 1....P.O. .:i.....+00.../C:\...... x.1...... Ng...Users.d...... L...Q...... :...... [email protected] .l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>...... NM..Q...... S...... a.l.f.o.n.s.....~.1.....>Q.u..Desktop.h...... NM..Q...... Y...... >[email protected]. ..d.l.l.,.-.2.1.7.6.9...... 2..+...Q.. .RFQ027~1.DOC...... >Q.u.Q...... f...... R.F.Q.0.2.7.0.0.0.4.2.9.6.-.P.R.0.7.2.0.0.0.1.8.3.1.-.G.r.a.s.p. .T.r.a.d.i.n.g. .P.v.t... .L.t.d...d.o.c...... |...... -...... {...... >.S...... C:\Users\user\Desktop\RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc..L.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\ .R.F.Q.0.2.7.0.0.0.4.2.9.6.-.P.R.0.7.2.0.0.0.1.8.3.1.-.G.r.a.s.p. .T.r.a.d.i.n.g. .P.v.t... .L.t.d...d.o.c...... :..,.LB.)...Aw...`...... X...... 562258...... !a..%.H.VZAj...GXt.+..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 185 Entropy (8bit): 4.9295132517840905 Encrypted: false SSDEEP: 3:M1YWAI1Iv+UR0VFi7LrFovbAI1Iv+UR0VFi7LrFomX1YWAI1Iv+UR0VFi7LrFov:M1AIiv13kbAIiv13zAIiv13y MD5: 79A854F07A56907E950BFA02D45A7729 SHA1: 745123A2DEDFA0221BDA0E780CC885BB36977FFB SHA-256: 3551849C121133721A54472536ADA51A70CC91E544692A1720748E655E279407 SHA-512: 29DD83DC0B8420B22F7F6A3C0A44C21E193216A29FA7F459F8DAD869AFA8914AE7AFCC9338B546109DC779403F43B082FD790757FDBC0E34BA71F9A709AB398C Malicious: false Reputation: low Preview: [doc]..RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.LNK=0..RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.LNK=0..[doc]..RFQ0270004296- PR0720001831-Grasp Trading Pvt. Ltd.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 162 Entropy (8bit): 2.1633835850239964 Encrypted: false

Copyright null 2020 Page 15 of 23 C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm SSDEEP: 3:Rl/Zd1ldkq6t//9CkO/7uk2OLB:RtZnEq6meyB MD5: 6D3F0146CCAD7287E3430D9AD69B16FF SHA1: AE9E042EE1DBB1E2E09287A37901CC08A1C20777 SHA-256: 9E3FF8DDFC4F2921E9F1FED3FB833CC1BCE847F09F52A707542B8292A7743E76 SHA-512: D68EDF8F3EC9C651C327B733EF171C90027EB58F24F90B8A20BDE5DD2E6311E1AC7A16DF245908813BC827A8B83C4B9B32D33C18EE3D0474FC760FADCDCBFC E0 Malicious: false Reputation: low Preview: .pratesh...... p.r.a.t.e.s.h...0.A.1..A'H...... A#H...... A/H...... $...

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: Little-endian UTF-16 Unicode text, with CR line terminators Category: dropped Size (bytes): 22 Entropy (8bit): 2.9808259362290785 Encrypted: false SSDEEP: 3:QAlX0Gn:QKn MD5: 7962B839183642D3CDC2F9CEBDBF85CE SHA1: 2BE8F6F309962ED367866F6E70668508BC814C2D SHA-256: 5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6 SHA-512: 2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3 342 Malicious: false Reputation: high, very likely benign file Preview: ....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$Q0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 162 Entropy (8bit): 2.1633835850239964 Encrypted: false SSDEEP: 3:Rl/Zd1ldkq6t//9CkO/7uk2OLB:RtZnEq6meyB MD5: 6D3F0146CCAD7287E3430D9AD69B16FF SHA1: AE9E042EE1DBB1E2E09287A37901CC08A1C20777 SHA-256: 9E3FF8DDFC4F2921E9F1FED3FB833CC1BCE847F09F52A707542B8292A7743E76 SHA-512: D68EDF8F3EC9C651C327B733EF171C90027EB58F24F90B8A20BDE5DD2E6311E1AC7A16DF245908813BC827A8B83C4B9B32D33C18EE3D0474FC760FADCDCBFC E0 Malicious: false Reputation: low Preview: .pratesh...... p.r.a.t.e.s.h...0.A.1..A'H...... A#H...... A/H...... $...

Static File Info

General File type: Rich Text Format data, unknown version Entropy (8bit): 4.031136203938032 TrID: Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44% File name: RFQ0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc File size: 1256325 MD5: bc49a53c0d2cc22da888680116830aa8 SHA1: af1a5a8bd6ec0db0aa21f2eaa0101a5fd6f0111a SHA256: cbddb3f410205c2fd1f8067be9b7cf50e4e90b7022990afa 04a7d694dde883c2 SHA512: b5bee6aef4d5f515329e1ee1260d2f13746c9679a70dbb6 ff2a5aae9664606efd8c66b5164eae7f0e659660e617104f 8d313d8c66502bb81dfb5fa31cf6ccfb6

Copyright null 2020 Page 16 of 23 General SSDEEP: 24576:tp4EYWj0t4t9F97XxYJBfzroFtjC+o4hZkRklMTq Hr0kF:f File Content Preview: {\rtf9108|_?+???%?3?0_]???%7?1.2.@@?.;`%/.]'5@? @629?(~:@/%!@#8.$:?~%?/??;>7>4[?'+6).8_?=2(*?#& +.>&~9?%:;$!??(=<9[&(!|]|&-=_;&?,@?^,3??4^),..-*09-?, 1'48*&.$?.@[6+3.~49|=|<-_?-5*2!2[+|_%1/*.6]6+5:)?%6. (`)7??.?.*^`.&-`)3.4.><23&;5@9<,4?.`*[%~/2=-`64?|$?+ 1%+0

File Icon

Icon Hash: 74f4c4c6c1cac4d8

Static RTF Info

Objects

Id Start Format ID Format Classname Datasize Filename Sourcepath Temppath Exploit 0 000011A4h no

Network Behavior

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Dec 15, 2020 14:52:18.889682055 CET 63183 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:18.916721106 CET 53 63183 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:19.697321892 CET 60151 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:19.721586943 CET 53 60151 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:21.551687002 CET 56969 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:21.576111078 CET 53 56969 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:25.417505026 CET 55161 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:25.441970110 CET 53 55161 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:26.822087049 CET 54757 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:26.855312109 CET 53 54757 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:27.296147108 CET 49992 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:27.331737995 CET 53 49992 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:28.302786112 CET 49992 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:28.338282108 CET 53 49992 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:28.731457949 CET 60075 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:28.758598089 CET 53 60075 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:29.297561884 CET 49992 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:29.335452080 CET 53 49992 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:31.313275099 CET 49992 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:31.349067926 CET 53 49992 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:35.313460112 CET 49992 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:35.348917961 CET 53 49992 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:39.435134888 CET 55016 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:39.471451998 CET 53 55016 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:48.056474924 CET 64345 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:48.080729008 CET 53 64345 8.8.8.8 192.168.2.5 Dec 15, 2020 14:52:53.075880051 CET 57128 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:52:53.112639904 CET 53 57128 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:11.221386909 CET 54791 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:11.246100903 CET 53 54791 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:11.246582985 CET 50463 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:11.295762062 CET 53 50463 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:15.921838045 CET 50394 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:15.955626011 CET 53 50394 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:24.628451109 CET 58530 53 192.168.2.5 8.8.8.8

Copyright null 2020 Page 17 of 23 Timestamp Source Port Dest Port Source IP Dest IP Dec 15, 2020 14:53:24.684351921 CET 53 58530 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:25.071759939 CET 53813 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:25.096318960 CET 53 53813 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:25.565289974 CET 63732 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:25.592724085 CET 53 63732 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:25.905961990 CET 57344 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:25.951275110 CET 53 57344 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:26.004575014 CET 54450 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:26.037137985 CET 53 54450 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:26.310000896 CET 59261 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:26.345765114 CET 53 59261 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:26.781806946 CET 57151 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:26.814732075 CET 53 57151 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:27.248493910 CET 59413 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:27.281131029 CET 53 59413 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:28.016516924 CET 60516 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:28.051409006 CET 53 60516 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:29.045425892 CET 51649 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:29.078037024 CET 53 51649 8.8.8.8 192.168.2.5 Dec 15, 2020 14:53:29.898025036 CET 65086 53 192.168.2.5 8.8.8.8 Dec 15, 2020 14:53:29.933552027 CET 53 65086 8.8.8.8 192.168.2.5

Code Manipulations

Statistics

System Behavior

Analysis Process: WINWORD.EXE PID: 896 Parent PID: 792

General

Start time: 14:52:25 Start date: 15/12/2020 Path: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding Imagebase: 0x1170000 File size: 1937688 bytes MD5 hash: 0B9AB9B9C4DE429473D6450D4297A123 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol

Copyright null 2020 Page 18 of 23 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE read data or list device directory file | success or wait 1 661E977C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\Desktop\~$Q0270004296-PR0720001831-Grasp Trading Pvt. Ltd.doc success or wait 1 66115805 unknown

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\VBA success or wait 1 66128A84 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1 success or wait 1 66128A84 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common success or wait 1 66128A84 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import success or wait 1 66115805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Offline\Options success or wait 1 66115805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery success or wait 1 66115805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\223FA success or wait 1 66115805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations success or wait 1 66115805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0 success or wait 1 66115805 unknown

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\WO Name unicode Recover Text from Any File success or wait 1 66115805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFTWARE\WO Path unicode C:\Program Files (x86)\Common success or wait 1 66115805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Files\Microsoft Shared\TextCon Converters\Import v\RECOVR32.CNV HKEY_LOCAL_MACHINE\SOFTWARE\WO Extensions unicode * success or wait 1 66115805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Converters\Import HKEY_CURRENT_USER\Software\Microsoft\Shared Cambria Math binary 02 04 05 03 05 04 06 03 02 04 success or wait 1 66115805 unknown Tools\Panose HKEY_CURRENT_USER\Software\Mic 223FA binary 04 00 00 00 80 03 00 00 2B 00 00 00 43 success or wait 1 66115805 unknown rosoft\Office\16.0\Word\Resili 00 3A 00 5C 00 55 00 73 00 65 00 72 00 ency\DocumentRecovery\223FA 73 00 5C 00 61 00 6C 00 66 00 6F 00 6E 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 04 00 00 00 69 00 6D 00 67 00 73 00 00 00 00 00 01 00 00 00 00 00 00 00 BD 08 68 07 35 D3 D6 01 FA 23 02 00 FA 23 02 00 00 00 00 00 DB 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright null 2020 Page 19 of 23 00 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type D00a t0a0 00 00 00 00 00 00 00 00 00 00 00 Completion Count Address Symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 HKEY_CURRENT_USER\Software\Mic File Path unicode C:\Users\user\AppData\Local\Te success or wait 1 66115805 unknown rosoft\Office\16.0\Word\Reading Locations\Document 0 mp\imgs.htm HKEY_CURRENT_USER\Software\Mic Datetime unicode 2020-12-15T14:52 success or wait 1 66115805 unknown rosoft\Office\16.0\Word\Reading Locations\Document 0 HKEY_CURRENT_USER\Software\Mic Position unicode 0 0 success or wait 1 66115805 unknown rosoft\Office\16.0\Word\Reading Locations\Document 0

Copyright null 2020 Page 20 of 23 Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT ProductFiles dword 1368326152 1368326153 success or wait 1 66115805 unknown WARE\Mi crosoft\Windows\CurrentVersion \Installer\UserData\S-1-5-18\P roducts\000061091100000000000 00000F01FEC\Usage HKEY_LOCAL_MACHINE\SOFT ProductFiles dword 1368326153 1368326154 success or wait 1 66115805 unknown WARE\Mi crosoft\Windows\CurrentVersion \Installer\UserData\S-1-5-18\P roducts\000061091100000000000 00000F01FEC\Usage HKEY_LOCAL_MACHINE\SOFT Name unicode Recover Text from Any File WordPerfect 5.x success or wait 1 66115805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Path unicode C:\Program Files (x86)\Common C:\Program Files (x86)\Common success or wait 1 66115805 unknown WARE\WO Files\Microsoft Shared\TextCon Files\Microsoft Shared\TextCon W6432Node\Microsoft\Office\16. v\RECOVR32.CNV v\WPFT532.CNV 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Extensions unicode * doc success or wait 1 66115805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Name unicode WordPerfect 5.x WordPerfect 6.x - 7.0 success or wait 1 66115805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Path unicode C:\Program Files (x86)\Common C:\Program Files (x86)\Common success or wait 1 66115805 unknown WARE\WO Files\Microsoft Shared\TextCon Files\Microsoft Shared\TextCon W6432Node\Microsoft\Office\16. v\WPFT532.CNV v\WPFT632.CNV 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Extensions unicode doc wpd doc success or wait 1 66115805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_CURRENT_USER\Softwar 223FA binary 04 00 00 00 80 03 00 00 2B 00 04 00 00 00 80 03 00 00 2B 00 success or wait 1 66115805 unknown e\Mic 00 00 43 00 3A 00 5C 00 55 00 00 00 43 00 3A 00 5C 00 55 00 rosoft\Office\16.0\Word\Resili 73 00 65 00 72 00 73 00 5C 00 73 00 65 00 72 00 73 00 5C 00 ency\DocumentRecovery\223FA 61 00 6C 00 66 00 6F 00 6E 00 61 00 6C 00 66 00 6F 00 6E 00 73 00 5C 00 41 00 70 00 70 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 04 00 2E 00 68 00 74 00 6D 00 04 00 00 00 69 00 6D 00 67 00 73 00 00 00 69 00 6D 00 67 00 73 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 BD 08 68 07 35 D3 D6 01 00 00 00 00 00 00 00 00 00 00 FA 23 02 00 FA 23 02 00 00 00 FA 23 02 00 FA 23 02 00 00 00 00 00 DB 04 00 00 02 00 00 00 00 00 DB 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright null 2020 Page 21 of 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type O00ld 0 D0 a0t0a 00 00 00 00 00 00 00 N00e w00 D 0a0t a00 00 00 00 00 00 00 Completion Count Address Symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright null 2020 Page 22 of 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type O00ld 0 D0 a0t0a 00 00 FF FF FF FF 00 N00e w00 D 0a0t a00 00 FF FF FF FF 00 Completion Count Address Symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Disassembly

Copyright null 2020 Page 23 of 23