Loading ...

Play interactive tourEdit tour

Analysis Report acceptable_use_policy.docm

Overview

General Information

Sample Name:acceptable_use_policy.docm
Analysis ID:321433
MD5:d651d3331b60eeeb49eb0fdc17b7b1df
SHA1:bb816e1502b0baaa77742fde8c25bbc42c717674
SHA256:a0a9eca457bd72df44a7ff398b5b4469bb4d1057fd43d7906c948b99f7be51ca

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Machine Learning detection for sample
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 852 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: acceptable_use_policy.docmVirustotal: Detection: 59%Perma Link
Source: acceptable_use_policy.docmReversingLabs: Detection: 48%
Machine Learning detection for sampleShow sources
Source: acceptable_use_policy.docmJoe Sandbox ML: detected
Source: winword.exeMemory has grown: Private usage: 0MB later: 100MB
Source: global trafficDNS query: name: intergalacticaeronautic.space
Source: global trafficTCP traffic: 192.168.2.3:49716 -> 91.195.240.13:443
Source: global trafficTCP traffic: 192.168.2.3:49716 -> 91.195.240.13:443
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: intergalacticaeronautic.space
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ~WRS{9150D587-E522-4DE4-8C1E-DEF2200D6092}.tmp.0.drString found in binary or memory: http://www.sans.org/security-resources/glossary-of-terms/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.aadrm.com/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.office.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.onedrive.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://augloop.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cdn.entity.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://clients.config.office.net/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://config.edge.skype.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cortana.ai
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://cr.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://devnull.onenote.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://directory.services.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://graph.windows.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://graph.windows.net/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: vbaProject.binString found in binary or memory: https://intergalacticaeronautic.space/lsass.exe
Source: vbaProject.binString found in binary or memory: https://intergalacticaeronautic.space/win32.exe
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://lifecycle.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://login.windows.local
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://management.azure.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://management.azure.com/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://messaging.office.com/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://officeapps.live.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://onedrive.live.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://outlook.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://outlook.office365.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://settings.outlook.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://tasks.office.com
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: acceptable_use_policy.docmOLE, VBA macro line: z = Shell(l, 0)
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: acceptable_use_policy.docmStream path 'VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, found possibly 'ADODB.Stream' functions open, savetofile, write
Document contains an embedded VBA with functions possibly related to HTTP operationsShow sources
Source: acceptable_use_policy.docmStream path 'VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
Source: acceptable_use_policy.docmOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open
Source: acceptable_use_policy.docmOLE indicator, VBA macros: true
Source: acceptable_use_policy.docmOLE indicator has summary info: false
Source: acceptable_use_policy.docmOLE indicator application name: unknown
Source: classification engineClassification label: mal64.winDOCM@1/8@1/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{A4DB4902-2362-4DC5-9A85-B4263CD16D08} - OProcSessId.datJump to behavior
Source: acceptable_use_policy.docmOLE document summary: title field not present or empty
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: acceptable_use_policy.docmVirustotal: Detection: 59%
Source: acceptable_use_policy.docmReversingLabs: Detection: 48%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: acceptable_use_policy.docmInitial sample: OLE zip file path = word/_rels/header1.xml.rels
Source: acceptable_use_policy.docmInitial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting32LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Extra Window Memory Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
acceptable_use_policy.docm60%VirustotalBrowse
acceptable_use_policy.docm48%ReversingLabsScript.Downloader.Obfuser
acceptable_use_policy.docm100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
intergalacticaeronautic.space0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://intergalacticaeronautic.space/lsass.exe2%VirustotalBrowse
https://intergalacticaeronautic.space/lsass.exe0%Avira URL Cloudsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://intergalacticaeronautic.space/win32.exe0%Avira URL Cloudsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
intergalacticaeronautic.space
91.195.240.13
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
    high
    https://login.microsoftonline.com/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
      high
      https://shell.suite.office.com:144305B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
          high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
            high
            https://cdn.entity.05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            https://api.addins.omex.office.net/appinfo/query05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
              high
              https://wus2-000.contentsync.05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://clients.config.office.net/user/v1.0/tenantassociationkey05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                high
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                  high
                  https://powerlift.acompli.net05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://rpsticket.partnerservices.getmicrosoftkey.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://lookup.onenote.com/lookup/geolocation/v105B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                    high
                    https://cortana.ai05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                      high
                      https://cloudfiles.onenote.com/upload.aspx05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                        high
                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                          high
                          https://entitlement.diagnosticssdf.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                            high
                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                              high
                              https://api.aadrm.com/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://ofcrecsvcapi-int.azurewebsites.net/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown
                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                high
                                https://api.microsoftstream.com/api/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                  high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                    high
                                    https://cr.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                      high
                                      https://portal.office.com/account/?ref=ClientMeControl05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                        high
                                        https://ecs.office.com/config/v2/Office05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                          high
                                          https://graph.ppe.windows.net05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptionevents05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.net05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplate05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://wus2-000.pagecontentsync.05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                    high
                                                    https://intergalacticaeronautic.space/lsass.exevbaProject.binfalse
                                                    • 2%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                      high
                                                      https://store.officeppe.com/addinstemplate05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://dev0-api.acompli.net/autodetect05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.ms05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groups05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                          high
                                                          https://graph.windows.net05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/api05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                              high
                                                              https://intergalacticaeronautic.space/win32.exevbaProject.binfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://prod-global-autodetect.acompli.net/autodetect05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.json05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                      high
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspx05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                  high
                                                                                  https://management.azure.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                    high
                                                                                    https://outlook.office365.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                      high
                                                                                      https://incidents.diagnostics.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                high
                                                                                                https://api.office.net05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                          high
                                                                                                          https://autodiscover-s.outlook.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                high
                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                  high
                                                                                                                  https://management.azure.com/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                    high
                                                                                                                    https://ncus-000.contentsync.05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://login.windows.net/common/oauth2/authorize05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                      high
                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      https://graph.windows.net/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                        high
                                                                                                                        https://api.powerbi.com/beta/myorg/imports05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                          high
                                                                                                                          https://devnull.onenote.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                            high
                                                                                                                            https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                              high
                                                                                                                              https://messaging.office.com/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://augloop.office.com/v205B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://skyapi.live.net/Activity/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://clients.config.office.net/user/v1.0/mac05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.o365filtering.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://onedrive.live.com05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://ovisualuiapp.azurewebsites.net/pbiagave/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          https://visio.uservoice.com/forums/368202-visio-on-devices05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://directory.services.05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://login.windows-ppe.net/common/oauth2/authorize05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://loki.delve.office.com/api/v1/configuration/officewin32/05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://onedrive.live.com/embed?05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB.0.drfalse
                                                                                                                                                  high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  91.195.240.13
                                                                                                                                                  unknownGermany
                                                                                                                                                  47846SEDO-ASDEfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                  Analysis ID:321433
                                                                                                                                                  Start date:22.11.2020
                                                                                                                                                  Start time:05:11:58
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 13m 10s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:acceptable_use_policy.docm
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:40
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • GSI enabled (VBA)
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal64.winDOCM@1/8@1/1
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .docm
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Max analysis timeout: 720s exceeded, the analysis took too long
                                                                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, WinStore.App.exe, RuntimeBroker.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, ApplicationFrameHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe, Defrag.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 52.109.32.27, 52.109.88.40, 52.109.88.38, 51.104.144.132, 2.20.84.85, 20.54.26.129, 205.185.216.10, 205.185.216.42, 51.11.168.160, 92.122.213.247, 92.122.213.194, 51.104.139.180, 52.155.217.156, 2.20.85.126, 40.90.23.154, 40.90.137.120, 40.90.23.208, 40.90.23.247, 13.104.215.72, 40.90.137.124, 40.90.23.153, 40.90.137.125, 40.127.240.158, 51.104.136.2
                                                                                                                                                  • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, blu-main-ips-v4only.b.lg.prod.aadmsa.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  91.195.240.13H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.smobz.com/ukj/?Ezu=6QwYUCSLPFcKJYuBdUDYqHrTALkpF8bqM6rRkIucBz4KsP3ogUDK0i/zbdTcuU1sFZfY&lhuL6=Txol_LV
                                                                                                                                                  #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.smobz.com/ukj/?BZ=6QwYUCSLPFcKJYuBdUDYqHrTALkpF8bqM6rRkIucBz4KsP3ogUDK0i/zbdT2xkFsBbXY&I48=4hOl78_
                                                                                                                                                  nel.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.office421.com/ns424/?KzrPX=kzrxP8&lJEpgpp=Cbpn9HPdnDvxKwh9tZDgvWZ3FWN5DdzTd5Eh64pT0MIinpxEBbCqVi4obr5cHTy4QQ+KEGF/dw==
                                                                                                                                                  168768566-104646-sdfnt5-8.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.app7924.com/sr1/

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  intergalacticaeronautic.spaceacceptable_use_policy.docmGet hashmaliciousBrowse
                                                                                                                                                  • 3.17.65.40
                                                                                                                                                  acceptable_use_policy.docmGet hashmaliciousBrowse
                                                                                                                                                  • 3.17.65.40
                                                                                                                                                  acceptable_use_policy.docmGet hashmaliciousBrowse
                                                                                                                                                  • 3.17.65.40

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  SEDO-ASDEacceptable_use_policy.docmGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.137
                                                                                                                                                  new file.exe.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  Bonifico n.1101202910070714.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  v6k2UHU2xk.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  http://walmartmoneycard.xyzGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.136
                                                                                                                                                  http://ww1.0ffice.com/Get hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.14
                                                                                                                                                  New Additional Agreement.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  UBEH7JEUC0.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  ORDER7098EAR.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.241.136
                                                                                                                                                  mFNIsJZPe2.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  http://walmartmoneycard.xyzGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.136
                                                                                                                                                  Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  AWB# 9284730932.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.94
                                                                                                                                                  http://tgreendot.comGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.136

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sdGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://flyboyfurnishings.com/firstam/RD-FITTGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  http://webnavigator.coGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29tGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  http://microsoftonlineofficeteam.weebly.comGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  ACH & WlRE REMlTTANCE ADVlCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Get hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  Payment conflict- aptiv 082920134110.htmGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2Get hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://coralcliffs.com.do/review/Get hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://hastebin.com/raw/xatuvoxixaGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://rebrand.ly/zkp0yGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13
                                                                                                                                                  https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3DGet hashmaliciousBrowse
                                                                                                                                                  • 91.195.240.13

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\05B3CD1D-BFF3-45C7-9E5B-E4F72DEEA2BB
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):129952
                                                                                                                                                  Entropy (8bit):5.378321058432751
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:TcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:xmQ9DQW+zBX8u
                                                                                                                                                  MD5:27AA85ED04DD9E5DC7597778AA76A6ED
                                                                                                                                                  SHA1:5C05457780A3B3D58D330602FF948366B8B52C54
                                                                                                                                                  SHA-256:A89E0386B4D9828C049321C664CE647F49570D927B0E2A65F5551658D6DA6E3E
                                                                                                                                                  SHA-512:29410CC39735371F1D9D888E2F0D2D75E55B87125CCF42FFCD8692EF72EB707E0B2083A365265EA4DF7B283A817E401E277C7C095E25E79B730817749FD1B053
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-22T04:12:44">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9150D587-E522-4DE4-8C1E-DEF2200D6092}.tmp
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):39472
                                                                                                                                                  Entropy (8bit):4.066495003231631
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:+gXnxdZBHbJ5rhVgkABKEuzs3ouLORZkFzj6ShJ7VHzwNgNRIhfYXZBFQg/rV:TcZVB
                                                                                                                                                  MD5:9937792D604A0FE2C681ADD5873A0864
                                                                                                                                                  SHA1:AE878B6731904130E4D00911C66E33A09D258D4A
                                                                                                                                                  SHA-256:FEC7B469671CD5FCE86870C34D8DE4D8BEDB8B17551F5864B15C429FC9EB380C
                                                                                                                                                  SHA-512:2309D50F95EAD1BD388EA07F5480403E6F07BB24F93DB63EFF826BA3E0472E10E42EA925956AC17665F090E92EE11AC06E0A8CDD60098DD6A77B5012E81C7C36
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: ................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>...................A.c.c.e.p.t.a.b.l.e. .U.s.e. .P.o.l.i.c.y.......O.v.e.r.v.i.e.w...I.n.f.o.s.e.c.. s. .i.n.t.e.n.t.i.o.n.s. .f.o.r. .p.u.b.l.i.s.h.i.n.g. .a.n. .A.c.c.e.p.t.a.b.l.e. .U.s.e. .P.o.l.i.c.y. .a.r.e. .n.o.t. .t.o. .i.m.p.o.s.e. .r.e.s.t.r.i.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .c.o.n.t.r.a.r.y. .t.o. .I.n.t.e.r.g.a.l.a.c.t.i.c. .A.e.r.o.n.a.u.t.i.c.s.. s........................................................................................................................................................................................................................................................................................................................................................................d........^............d........^................d......,.]...^.......&..F.......E..........`...............^...........^........$...K...<...[.].K.^.<.a
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{ED59803E-BD82-4E37-B902-B266B8ECC101}.tmp
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1024
                                                                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\mso6973.tmp
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:GIF image data, version 89a, 15 x 15
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):663
                                                                                                                                                  Entropy (8bit):5.949125862393289
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                                                                                                  MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                                                                                                  SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                                                                                                  SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                                                                                                  SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\acceptable_use_policy.docm.LNK
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:38 2020, mtime=Sun Nov 22 12:12:43 2020, atime=Sun Nov 22 12:12:41 2020, length=765751, window=hide
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2230
                                                                                                                                                  Entropy (8bit):4.7391661383878585
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:8iu1V2IMnKG0MMjB6piu1V2IMnKG0MMjB6:8iuPZjKiuPZj
                                                                                                                                                  MD5:FDE94798B9386CECBB82FDA1D878820A
                                                                                                                                                  SHA1:CA381AD9E3DAF3B3242291B704569FAFF07C898E
                                                                                                                                                  SHA-256:AB70DE0D06FDE5CE912F57CCA7BC23BE34909596AFA660EE444EFA793C2515DC
                                                                                                                                                  SHA-512:84AC308C594E2751892A94890129281685C5AA12AF349E98E7ECAB1521F2A2649B310159EEC1FA75AD13550326136C8BE57C52C4298DD87982C92382643CFBB3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: L..................F.... ....}..:.....)......j(....7............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..vQ.i....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qux..user.<.......Ny.vQ.i.....S........................h.a.r.d.z.....~.1.....>Qvx..Desktop.h.......Ny.vQ.i.....Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.7...vQ.i .ACCEPT~1.DOC..f......>QtxvQ.i....h.......................m.a.c.c.e.p.t.a.b.l.e._.u.s.e._.p.o.l.i.c.y...d.o.c.m.......`...............-......._...........>.S......C:\Users\user\Desktop\acceptable_use_policy.docm..1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.c.c.e.p.t.a.b.l.e._.u.s.e._.p.o.l.i.c.y...d.o.c.m.........:..,.LB.)...As...`.......X.......760639...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):118
                                                                                                                                                  Entropy (8bit):4.471727614263811
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:HPRwcMMEG2prScGFcMMEG2prSmxWPRwcMMEG2prSv:HPRsRGO4RGOeRsRGOI
                                                                                                                                                  MD5:F294413B5F2DEC815C4B94797368F7E5
                                                                                                                                                  SHA1:D5008F974E54419BCD734905DBD3FCE2B01D56BD
                                                                                                                                                  SHA-256:D3FCAE6B0458FF86847E03DF46CFEAABAA51DAB99F0640FE70B31DCD2B43EFEE
                                                                                                                                                  SHA-512:803EA26E5435C15C1E0A7BC11FF977B4D2D3CEB4A5F934C6FE6273F85AFAB4223A58ECDAB88E4E6DA6AF05BCA361AB0D67B9FA57CC972BA782BB324EF53E4166
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: [misc]..acceptable_use_policy.docm.LNK=0..acceptable_use_policy.docm.LNK=0..[misc]..acceptable_use_policy.docm.LNK=0..
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):162
                                                                                                                                                  Entropy (8bit):1.8316997406131903
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Rl/ZdoJkYl9/tlclT1hsllglRhlXln:RtZykYchhMgP
                                                                                                                                                  MD5:053AB0C37B4651E9D85E6DEF5254BF60
                                                                                                                                                  SHA1:212BDB6A5729C91BA5F2A8954FB7F3014198DF40
                                                                                                                                                  SHA-256:425817B5286E5EC6B4454FEDBD88F185A2F330F0874A611234D4237591360853
                                                                                                                                                  SHA-512:007C34E6926F8DF1DD7A84B75F92C28159C696D68A52B1AB1256853D7589E5438864ED94F9CDE464CA937140EF5686F51C9C824EE0366956D83842D27E11E9F6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........ll'.=....................................................G_$......................
                                                                                                                                                  C:\Users\user\Desktop\~$ceptable_use_policy.docm
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):162
                                                                                                                                                  Entropy (8bit):1.8316997406131903
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Rl/ZdoJkYl9/tlclT1hsllglRhlXln:RtZykYchhMgP
                                                                                                                                                  MD5:053AB0C37B4651E9D85E6DEF5254BF60
                                                                                                                                                  SHA1:212BDB6A5729C91BA5F2A8954FB7F3014198DF40
                                                                                                                                                  SHA-256:425817B5286E5EC6B4454FEDBD88F185A2F330F0874A611234D4237591360853
                                                                                                                                                  SHA-512:007C34E6926F8DF1DD7A84B75F92C28159C696D68A52B1AB1256853D7589E5438864ED94F9CDE464CA937140EF5686F51C9C824EE0366956D83842D27E11E9F6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: .pratesh................................................p.r.a.t.e.s.h..........ll'.=....................................................G_$......................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Microsoft Word 2007+
                                                                                                                                                  Entropy (8bit):7.974352084549378
                                                                                                                                                  TrID:
                                                                                                                                                  • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                                                                                                                                                  • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                                                                                                                                                  • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                                                                                                                                                  • ZIP compressed archive (8000/1) 5.23%
                                                                                                                                                  File name:acceptable_use_policy.docm
                                                                                                                                                  File size:785211
                                                                                                                                                  MD5:d651d3331b60eeeb49eb0fdc17b7b1df
                                                                                                                                                  SHA1:bb816e1502b0baaa77742fde8c25bbc42c717674
                                                                                                                                                  SHA256:a0a9eca457bd72df44a7ff398b5b4469bb4d1057fd43d7906c948b99f7be51ca
                                                                                                                                                  SHA512:48ab987baa051f3c95c205ff3c65f0f77389f92a74791e44195c655c4e84523112ac9e060a31679994c47e6677c7f7bde6d84521684ed3cdee86c1df16270ed6
                                                                                                                                                  SSDEEP:12288:Jnw0QEKpz/X0Ud46KsXhbSPhSxIxTqwwptJ22/baZ2J/SBxgegx:JwUKpzMn6LB5xmTqwwLc2FSBi5x
                                                                                                                                                  File Content Preview:PK..........!.?9..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74fcd0d2f692908c

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OpenXML
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "/opt/package/joesandbox/database/analysis/321433/sample/acceptable_use_policy.docm"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:False
                                                                                                                                                  Application Name:unknown
                                                                                                                                                  Encrypted Document:False
                                                                                                                                                  Contains Word Document Stream:
                                                                                                                                                  Contains Workbook/Book Stream:
                                                                                                                                                  Contains PowerPoint Document Stream:
                                                                                                                                                  Contains Visio Document Stream:
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                  Summary

                                                                                                                                                  Title:
                                                                                                                                                  Subject:
                                                                                                                                                  Author:Glenn
                                                                                                                                                  Keywords:
                                                                                                                                                  Template:Normal
                                                                                                                                                  Last Saved By:Glenn
                                                                                                                                                  Revion Number:10
                                                                                                                                                  Total Edit Time:7
                                                                                                                                                  Create Time:2019-10-23T16:40:00Z
                                                                                                                                                  Last Saved Time:2020-06-04T00:49:00Z
                                                                                                                                                  Number of Pages:7
                                                                                                                                                  Number of Words:1990
                                                                                                                                                  Number of Characters:11349
                                                                                                                                                  Creating Application:Microsoft Office Word
                                                                                                                                                  Security:0

                                                                                                                                                  Document Summary

                                                                                                                                                  Number of Lines:94
                                                                                                                                                  Number of Paragraphs:26
                                                                                                                                                  Thumbnail Scaling Desired:false
                                                                                                                                                  Company:
                                                                                                                                                  Contains Dirty Links:false
                                                                                                                                                  Shared Document:false
                                                                                                                                                  Changed Hyperlinks:false
                                                                                                                                                  Application Version:16.0000

                                                                                                                                                  Streams with VBA

                                                                                                                                                  VBA File Name: ThisDocument.cls, Stream Size: 3038
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/ThisDocument
                                                                                                                                                  VBA File Name:ThisDocument.cls
                                                                                                                                                  Stream Size:3038
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . > I M + # $ M . G . . H . . . . y . . . . $ @ . . + . 6 = . . . . . . . . . . . . . . . . . . . . . . q 2 . P . . H K . . . . / + 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . q 2 . P . . H K . . . . / + 8 . . > I M + # $ M . G . . H . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:01 16 01 00 04 00 01 00 00 16 06 00 00 e4 00 00 00 62 02 00 00 92 06 00 00 a0 06 00 00 d8 09 00 00 00 00 00 00 01 00 00 00 4d 9e bb bb 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 c3 3e 49 4d 2b 23 24 4d ad 47 8a 0d 48 a3 bf 9c 2e 79 0d df 0e bd 24 40 b7 c5 2b ee 36 3d 86 fd 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                  VBA Code Keywords

                                                                                                                                                  Keyword
                                                                                                                                                  Shell(l,
                                                                                                                                                  o.Close
                                                                                                                                                  o.Write
                                                                                                                                                  VB_Name
                                                                                                                                                  VB_Creatable
                                                                                                                                                  VB_Exposed
                                                                                                                                                  r.Status
                                                                                                                                                  ActiveDocument.Path
                                                                                                                                                  "GET",
                                                                                                                                                  o.SaveToFile
                                                                                                                                                  CreateObject("Microsoft.XMLHTTP")
                                                                                                                                                  String
                                                                                                                                                  Object
                                                                                                                                                  o.Type
                                                                                                                                                  CreateObject("ADODB.Stream")
                                                                                                                                                  VB_Customizable
                                                                                                                                                  r.send
                                                                                                                                                  o.Open
                                                                                                                                                  "https://intergalacticaeronautic.space/lsass.exe"
                                                                                                                                                  Document_Open()
                                                                                                                                                  r.Open
                                                                                                                                                  VB_TemplateDerived
                                                                                                                                                  "ThisDocument"
                                                                                                                                                  False
                                                                                                                                                  "\lsass.exe"
                                                                                                                                                  Attribute
                                                                                                                                                  Private
                                                                                                                                                  VB_PredeclaredId
                                                                                                                                                  VB_GlobalNameSpace
                                                                                                                                                  VB_Base
                                                                                                                                                  r.responseBody
                                                                                                                                                  VBA Code

                                                                                                                                                  Streams

                                                                                                                                                  Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 366
                                                                                                                                                  General
                                                                                                                                                  Stream Path:PROJECT
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Stream Size:366
                                                                                                                                                  Entropy:5.32151305526
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:I D = " { 4 5 8 7 1 3 E 5 - 7 7 D A - 4 E C 6 - 9 0 7 7 - 0 1 1 A C 2 4 A 7 C 1 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 9 B B 0 6 7 E 0 A 7 E 0 A 7 E 0 A 7 E 0 A " . . D P B = " 7 2 7 0 C D 9 6 8 7 9 7 8 7 9 7 8 7 " . . G C = " 2 B 2 9 9 4 5 1 4 C 5 2 4 C 5 2 B 3 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0
                                                                                                                                                  Data Raw:49 44 3d 22 7b 34 35 38 37 31 33 45 35 2d 37 37 44 41 2d 34 45 43 36 2d 39 30 37 37 2d 30 31 31 41 43 32 34 41 37 43 31 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                                                                                                  Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                                                                                                                                                  General
                                                                                                                                                  Stream Path:PROJECTwm
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:41
                                                                                                                                                  Entropy:3.07738448508
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                                                                                                  Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                                                                                                  Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2765
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:2765
                                                                                                                                                  Entropy:4.23158328116
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                                                                                                                  Data Raw:cc 61 af 00 00 01 00 ff 09 0c 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                  Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1752
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/__SRP_0
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:1752
                                                                                                                                                  Entropy:4.25450094175
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . N . . . x | . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . .
                                                                                                                                                  Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00
                                                                                                                                                  Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 102
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/__SRP_1
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:102
                                                                                                                                                  Entropy:2.15571505385
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . p . . . . . . .
                                                                                                                                                  Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 f9 02 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00
                                                                                                                                                  Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 796
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/__SRP_2
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:796
                                                                                                                                                  Entropy:3.84331960003
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 01 00 01 00 14 00 00 00 c1 06 00 00 00 00 00 00 61 0a 00 00 00 00 00 00 e1 07 00 00 00 00 00 00 b9 07 00 00 00 00 00 00 91 05 00 00 00 00 00 00 09 08 00 00 00 00 00 00 a1 08 00 00 00 00 00 00 49 08 00 00 00 00 00 00 99 0a 00 00 00 00
                                                                                                                                                  Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 103
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/__SRP_3
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:103
                                                                                                                                                  Entropy:2.08761800893
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
                                                                                                                                                  Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 04 60 00 00 00 07 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                                                                                                                                  Stream Path: VBA/dir, File Type: shared library, Stream Size: 520
                                                                                                                                                  General
                                                                                                                                                  Stream Path:VBA/dir
                                                                                                                                                  File Type:shared library
                                                                                                                                                  Stream Size:520
                                                                                                                                                  Entropy:6.28781093451
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . t . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                                                                                                  Data Raw:01 04 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 74 c4 60 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 22, 2020 05:12:45.729181051 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.750565052 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.750672102 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.751651049 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.772912025 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836504936 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836551905 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836591005 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836617947 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836653948 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.836671114 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.836703062 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.836707115 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.836710930 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.836714029 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.847249985 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.868419886 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.868926048 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.869096041 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.870538950 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:12:45.891907930 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.893280983 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.893445015 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:13:15.891333103 CET4434971691.195.240.13192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:15.891520023 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:34.101912022 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:34.411735058 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:35.020961046 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:36.224421978 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:38.630793095 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:43.443552017 CET49716443192.168.2.391.195.240.13
                                                                                                                                                  Nov 22, 2020 05:14:53.053894997 CET49716443192.168.2.391.195.240.13

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 22, 2020 05:12:38.905174971 CET6349253192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:38.941056013 CET53634928.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:39.997642040 CET6083153192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:40.033616066 CET53608318.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:40.921914101 CET6010053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:40.949079037 CET53601008.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:42.201452971 CET5319553192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:42.228671074 CET53531958.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:43.739424944 CET5014153192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:43.775238991 CET53501418.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:44.265536070 CET5302353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:44.303030968 CET53530238.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:44.680501938 CET4956353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:44.719669104 CET53495638.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.677229881 CET5135253192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:45.696132898 CET4956353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:45.727130890 CET53513528.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.731714010 CET53495638.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:45.746714115 CET5934953192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:45.773706913 CET53593498.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:46.607131004 CET5708453192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:46.643052101 CET53570848.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:46.699609041 CET4956353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:46.739139080 CET53495638.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:47.718313932 CET5882353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:47.745794058 CET53588238.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:48.715670109 CET4956353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:48.751635075 CET53495638.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:48.758599997 CET5756853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:48.785990953 CET53575688.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:49.792366028 CET5054053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:49.828241110 CET53505408.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:50.899888992 CET5436653192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:50.927149057 CET53543668.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:52.027534008 CET5303453192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:52.054639101 CET53530348.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:52.731410027 CET4956353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:52.767261028 CET53495638.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:12:54.150993109 CET5776253192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:12:54.178409100 CET53577628.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:07.995281935 CET5543553192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:08.022900105 CET53554358.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:15.149247885 CET5071353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:15.187094927 CET53507138.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:21.172059059 CET5613253192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:21.224338055 CET53561328.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:28.216665983 CET5898753192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:28.243720055 CET53589878.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:41.786384106 CET5657953192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:41.813831091 CET53565798.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:13:45.944058895 CET6063353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:13:45.983392000 CET53606338.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:14:16.350230932 CET6129253192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:14:16.377444983 CET53612928.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:14:17.530527115 CET6361953192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:14:17.566401005 CET53636198.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:30.961596012 CET6493853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:31.014822960 CET53649388.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:31.435285091 CET6194653192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:31.476208925 CET53619468.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:31.880625010 CET6491053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:31.916620970 CET53649108.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:32.234105110 CET5212353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:32.272311926 CET53521238.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:32.595633984 CET5613053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:32.631609917 CET53561308.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:33.027057886 CET5633853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:33.062951088 CET53563388.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:33.576574087 CET5942053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:33.612097025 CET53594208.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:34.433212996 CET5878453192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:34.471251011 CET53587848.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:35.203119993 CET6397853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:35.230464935 CET53639788.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:15:35.611021042 CET6293853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:15:35.646786928 CET53629388.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:02.488928080 CET5570853192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:02.528470039 CET53557088.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:24.743781090 CET5680353192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:24.771028042 CET53568038.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:25.274699926 CET5714553192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:25.326317072 CET53571458.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:26.064470053 CET5535953192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:26.102704048 CET53553598.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:26.486206055 CET5830653192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:26.530468941 CET53583068.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:17:26.717951059 CET6412453192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:17:26.753870010 CET53641248.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:19:47.149286032 CET4936153192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:19:47.176538944 CET53493618.8.8.8192.168.2.3
                                                                                                                                                  Nov 22, 2020 05:20:19.745837927 CET6315053192.168.2.38.8.8.8
                                                                                                                                                  Nov 22, 2020 05:20:19.797338963 CET53631508.8.8.8192.168.2.3

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Nov 22, 2020 05:12:45.677229881 CET192.168.2.38.8.8.80x5427Standard query (0)intergalacticaeronautic.spaceA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Nov 22, 2020 05:12:45.727130890 CET8.8.8.8192.168.2.30x5427No error (0)intergalacticaeronautic.space91.195.240.13A (IP address)IN (0x0001)

                                                                                                                                                  HTTPS Packets

                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                  Nov 22, 2020 05:12:45.836653948 CET91.195.240.13443192.168.2.349716CN=intergalacticaeronautic.space CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Jun 29 02:00:00 CEST 2020 Mon Nov 27 13:46:10 CET 2017 Fri Nov 10 01:00:00 CET 2006Wed Jun 30 14:00:00 CEST 2021 Sat Nov 27 13:46:10 CET 2027 Mon Nov 10 01:00:00 CET 2031771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                  CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 27 13:46:10 CET 2017Sat Nov 27 13:46:10 CET 2027
                                                                                                                                                  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Nov 10 01:00:00 CET 2006Mon Nov 10 01:00:00 CET 2031

                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Start time:05:12:41
                                                                                                                                                  Start date:22/11/2020
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                  Imagebase:0x40000
                                                                                                                                                  File size:1937688 bytes
                                                                                                                                                  MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >