Lubomir

Hi Lockbits! .com extension still can be executed on Windows, let's take as an example system utilities such as tree.com or more.com. Since content.mso is the folder where office files are cached, it could easily be legit. However, when we look at it with paranoid eye, it could also be the functionality of storing temporary files (or just the location) misused to store arbitrary data in a form that can be executed and then executed. So it's hard to tell for sure unless you have the file, or you know if it was executed. To be on the safe side I would: - check if any other suspicious events were done by that instance of winword (aggregated events, raw events) - check if any other suspicious events happened on that computer - find the d4ae7e10.com file itself (you already did this) - find the file which was opened by word (look at the aggregated events tab of winword process or explorer process) - find if d4ae7e10.com file was executed - check the process tree (this process tree doesn't indicate that) - use search to find any events for d4ae7e10.com - search for d4ae7e10.com file in executables view