Loading ...

Play interactive tourEdit tour

Analysis Report Covid-19 Payroll Tax Adjustment.docx

Overview

General Information

Sample Name:Covid-19 Payroll Tax Adjustment.docx
Analysis ID:392737
MD5:f78e1a17152954d2c56e3de7f889065f
SHA1:9ad2cffb62540c6ad60eee087c97cc756949adfd
SHA256:606e7c0165678adb36211ad727f8d128577a06584034ee39402b9a931f457b06
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains an external reference to another document
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 4688 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: unknownHTTPS traffic detected: 18.211.24.111:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: global trafficDNS query: name: admin.phishproof.com
Source: global trafficTCP traffic: 192.168.2.3:49717 -> 18.211.24.111:443
Source: global trafficTCP traffic: 192.168.2.3:49717 -> 18.211.24.111:443
Source: Joe Sandbox ViewIP Address: 18.211.24.111 18.211.24.111
Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: admin.phishproof.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: ~WRS{B99111E8-2784-47C8-B727-2DD40F6C39BA}.tmp.0.drString found in binary or memory: https://admin.phishproof.com/af-Dbh8nMk.png
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.aadrm.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.cortana.ai
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.office.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.onedrive.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://augloop.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cdn.entity.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://clients.config.office.net/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://config.edge.skype.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cortana.ai
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cortana.ai/api
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://cr.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dev.cortana.ai
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://devnull.onenote.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://directory.services.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://graph.windows.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://graph.windows.net/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://lifecycle.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://login.windows.local
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://management.azure.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://management.azure.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://messaging.office.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ncus.contentsync.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://officeapps.live.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://onedrive.live.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://outlook.office.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://outlook.office365.com/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://settings.outlook.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://staging.cortana.ai
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://tasks.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://wus2.contentsync.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 7043B0DF-A4FB-405B-9062-49781E100B5F.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownHTTPS traffic detected: 18.211.24.111:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: classification engineClassification label: mal48.evad.winDOCX@1/12@1/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{B8E588C9-0F86-4BF6-B849-598FE459B515} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

Persistence and Installation Behavior:

barindex
Contains an external reference to another documentShow sources
Source: document.xml.relsBinary or memory string: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="https://admin.phishproof.com/af-Dbh8nMk.png" TargetMode="External"/></Relationships>
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExploitation for Client Execution3Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
admin.phishproof.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://admin.phishproof.com/af-Dbh8nMk.png0%Avira URL Cloudsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
admin.phishproof.com
18.211.24.111
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
    high
    https://login.microsoftonline.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
      high
      https://shell.suite.office.com:14437043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
          high
          https://autodiscover-s.outlook.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
              high
              https://cdn.entity.7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkey7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                    high
                    https://powerlift.acompli.net7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v17043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                      high
                      https://cortana.ai7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                high
                                https://api.aadrm.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                      high
                                      https://cr.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/Office7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                            high
                                            https://graph.ppe.windows.net7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                            high
                                                            https://graph.windows.net7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://admin.phishproof.com/af-Dbh8nMk.png~WRS{B99111E8-2784-47C8-B727-2DD40F6C39BA}.tmp.0.drtrue
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                high
                                                                                                https://api.office.net7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v27043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize7043B0DF-A4FB-405B-9062-49781E100B5F.0.drfalse
                                                                                                                                                  high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  18.211.24.111
                                                                                                                                                  admin.phishproof.comUnited States
                                                                                                                                                  14618AMAZON-AESUStrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                  Analysis ID:392737
                                                                                                                                                  Start date:19.04.2021
                                                                                                                                                  Start time:20:47:20
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 5m 7s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:Covid-19 Payroll Tax Adjustment.docx
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:29
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal48.evad.winDOCX@1/12@1/1
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .docx
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.88.21.125, 20.82.210.154, 204.79.197.200, 13.107.21.200, 52.255.188.83, 184.30.21.144, 52.109.88.177, 52.109.12.24, 52.109.12.21, 23.57.80.111, 2.20.142.209, 2.20.142.210, 51.103.5.186, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 20.50.102.62
                                                                                                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  18.211.24.111Covid-19 Payroll Tax Adjustment.docxGet hashmaliciousBrowse
                                                                                                                                                    annualreport.xlsxGet hashmaliciousBrowse
                                                                                                                                                      annualreport.xlsxGet hashmaliciousBrowse
                                                                                                                                                        action_items.xlsmGet hashmaliciousBrowse
                                                                                                                                                          action_items.xlsmGet hashmaliciousBrowse
                                                                                                                                                            action_items.xlsmGet hashmaliciousBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              admin.phishproof.comannualreport.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              annualreport.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              action_items.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              action_items.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              action_items.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              Love_you_201.docGet hashmaliciousBrowse
                                                                                                                                                              • 18.233.242.165
                                                                                                                                                              Love_you_201.docGet hashmaliciousBrowse
                                                                                                                                                              • 18.233.242.165
                                                                                                                                                              Love_you_201.docGet hashmaliciousBrowse
                                                                                                                                                              • 18.233.242.165

                                                                                                                                                              ASN

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              AMAZON-AESUSCovid-19 Payroll Tax Adjustment.docxGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              VoicePlayback (0195) for turnerrd pellamw .htmlGet hashmaliciousBrowse
                                                                                                                                                              • 50.16.177.212
                                                                                                                                                              Monday, April 19th, 2021, 20210419111136.68B7C9F20FAF4F3F@classactsautobody.com.htmGet hashmaliciousBrowse
                                                                                                                                                              • 50.16.177.212
                                                                                                                                                              SA-NQAW12n-NC9W03-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 52.71.133.130
                                                                                                                                                              bxJIU2nFC5.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.243.121.36
                                                                                                                                                              KoF2fbpF8X.exeGet hashmaliciousBrowse
                                                                                                                                                              • 23.21.48.44
                                                                                                                                                              RFQ.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 52.5.157.71
                                                                                                                                                              GE3hVNHtrK.exeGet hashmaliciousBrowse
                                                                                                                                                              • 3.232.116.190
                                                                                                                                                              preggo.apkGet hashmaliciousBrowse
                                                                                                                                                              • 54.86.40.118
                                                                                                                                                              preggo.apkGet hashmaliciousBrowse
                                                                                                                                                              • 54.208.246.209
                                                                                                                                                              q7uNNDJUI2.exeGet hashmaliciousBrowse
                                                                                                                                                              • 23.23.85.1
                                                                                                                                                              BQGxKexU78.exeGet hashmaliciousBrowse
                                                                                                                                                              • 23.21.74.8
                                                                                                                                                              oddMyFn53m.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.225.155.255
                                                                                                                                                              kBB0LJe6UO.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.235.175.90
                                                                                                                                                              078y61cSKy.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.19.242.215
                                                                                                                                                              svchost.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.225.144.221
                                                                                                                                                              Ficker.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.225.222.160
                                                                                                                                                              H7YgdxkWKW.exeGet hashmaliciousBrowse
                                                                                                                                                              • 107.22.233.72
                                                                                                                                                              JSChk2v3o9.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.225.144.221

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19VoicePlayback (0195) for turnerrd pellamw .htmlGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              Monday, April 19th, 2021, 20210419111136.68B7C9F20FAF4F3F@classactsautobody.com.htmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              VoicePlayback (0162) for jonathan.siberry wyg .htmlGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              catalog-1763942449.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              documento.xlsbGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              FAGOTS.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              369290.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              1F9rLAdqSw.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              TYdzcrJ1Th.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              catalog-232888535.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              SecuriteInfo.com.W32.AIDetect.malware2.8271.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              faktura_POfk.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              VoicePlayback (0129) for paul.mathias brewin .htmlGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              Shipment wk017 Note.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              P A Y M E N T (1).htmlGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              SecuriteInfo.com.Trojan.Win32.Save.a.6606.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              invoice-order-21412-paypal.xlxs.vbsGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              gSyJqxW85g.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              qLpyW8ZKA9.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111
                                                                                                                                                              OVNQqw2Wx6.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.211.24.111

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7043B0DF-A4FB-405B-9062-49781E100B5F
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):133596
                                                                                                                                                              Entropy (8bit):5.369622703377243
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:IcQIKNEHBXA3gBwqpQ9DQW+zwh34ZldpKWXboOilXNErLWME9:vVQ9DQW+z6Xi8
                                                                                                                                                              MD5:C10497213773BDF7C0F8ABC688EBACB1
                                                                                                                                                              SHA1:E9E18749D85651E7C758885C793DAA142394E79A
                                                                                                                                                              SHA-256:2E3615F17796E5585AA43D08CD6B643EC3361A52340BAF4F3FF3385E0FA50E0F
                                                                                                                                                              SHA-512:033963CDC16AD5D73D78AEFD407006E83FA77F5E93EE088A7266AA58F764798DA7AE7B2317A0D65DC5578EE357CCD1D859F006CB88CA4FFCF8ED8F3068EE5C6E
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-19T18:48:57">.. Build: 16.0.14014.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16A209DE.png
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:PNG image data, 848 x 1184, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):719675
                                                                                                                                                              Entropy (8bit):7.996898300210567
                                                                                                                                                              Encrypted:true
                                                                                                                                                              SSDEEP:12288:khSdZ8li0/LgtMVUv+NjBl0Q5x56AMIRJqNSrna5eoC9hgO6oWb/N8kJCXgsE/:kMdmVzQMOvSBl0Q536fGJa5RC9+O6eF4
                                                                                                                                                              MD5:167730B067E677A65BAAA3E1C317392B
                                                                                                                                                              SHA1:29ABFFFB01422F8CF9679ACCC4DF31891B79CE3E
                                                                                                                                                              SHA-256:0023C3DA70CDE56DBBADAD0C6A872A90D025A38B3AC1E66BC48120A1478B9008
                                                                                                                                                              SHA-512:928D6336F7911D9022576AF3F5196DEC9FF2FB1FD70C59ABF9E3603F09EE637E6D0322E7637A94CE0DA592D41AE041A499D30CBB8C5E82F0477426620C69AAE7
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: .PNG........IHDR...P................KiCCPICC Profile..H..W.TSI.[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ.(v.(......*.........3w......;..N.O*.Eu.....#BX.R.X.N@...9.-._.e..E.(.....u.(.+.J...._....|..8.3.r~.....K.RY>.D...../U.I...`..K.8K.K.8C.+U6....w.@..x.,.....U..<.7!v.....t....E<..........8d|../.!N./k..sQ.9T,...f........a..M$..W...v3gZ... .d..B...;.@e.1J.)"....)_.5.L.]...(.M!....Dk....p..p....|n.f.".<,A.Y#...;.3e..fn.O..?..Ibk.o...A..E...u...@....6.LyNB....).qb.md.xe.6...%.!j~lJ.,<^c/...-...1.\./J......T..A.,....y........a..KBI.&_.C......R...........bSyA.f............%...3.yc..... .p@(`..l.`.......K=..x@.....h4.3RT#..L.E.o..@>4/D5*..P.iH.~..L.h.jF.x.q.....B5K2.-.<...w..0.\.c...P...(.yY:...0b(1..Nt.M.@.....`..q..w0./..G.v...5B...Tq..|X`....59g|.3n.Y=..<..Cn.....|4....oO..h"Wf.-..r....;.+.....S......9.....R.1TW....9_UZ...o-.E.>.4v.;.....;.5c...J<....V..xU<9.G..?....r.z.n..|a.r...i.2q.(..;....G.`...........WL...a...+..C....../............_p/
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8A78.tmp
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:PNG image data, 1024 x 768, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):9084
                                                                                                                                                              Entropy (8bit):6.066243465397226
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:ESBBav8ThoL9Jd+saEmB9IS9W/bvtWzd/JEdtgYTwetWyLrfvqk+U25qD3MsuTqy:ESdKvVmB9Ls8JqdtWCebkcU+
                                                                                                                                                              MD5:84EA1CD08BE8E4BB6D8FA8BA0530FB13
                                                                                                                                                              SHA1:B5FF79D7B5EE6C4F47F754A11B34302AD99C84DB
                                                                                                                                                              SHA-256:5CDB826CC6DDF754FF543B77A3D12276B7B21DA81B7E197D5653B3B1574CC1AC
                                                                                                                                                              SHA-512:013419EEA891A25976CCA53293BD8883AFBDAFA557E279E8D918CF12D0B169FD905CA93E412E50A61BA90E9E803E6895E121AEFFF2ED3B3CFBC60552770F3A44
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview: .PNG........IHDR.....................pHYs.................tEXtSoftware.Adobe ImageReadyq.e<..#.IDATx....q.G...9....H..E*..........@T..".0.*.....M.@e E..>..tw.W......B....y?h..^....?..C.u'.......V.1....Z..Q....zJ......?............H....9........c.(D.... ..<^.>....{.._..za$...)_D.SJ?.....@..C.l.... .........E..1.....M)......P#@./.... .).Kc..s..J.p< ..Q.L)....8.......`)..|aT...y.x@...ww.t....nw$...D..........O...w... ...:._P........r.x@........'...+...0..[#.. .I~....0..../.3Y7F..@..zl5....5...rf|.....;T..F....+'......A...zc..v......`..#c.. @9.z].X.....;..z..~.......Qc=...}....Jm......08..`...F..|..%..A..1..9...0..;... *.....g...."_n.... .).+c.......W.ny.......d[.P........;... ....1..o.~.@Q.b...SY..`n..u=...}............Q...'......#.. H.".vJ.'...c...`..1....<............... ...`...0..........R.4.@..Gy........fJ.7.`..v..........0z....|.Z...,.w....|..nw$...D..GV.,.w...~..n......_...*.Ex...4....8....(.'.c..*.....0..ko...AN.k0.@..'.\u.... ./SJ"...!....../g......
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B99111E8-2784-47C8-B727-2DD40F6C39BA}.tmp
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1024
                                                                                                                                                              Entropy (8bit):1.2969066424008302
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:glXMKYHlLlP8EP3+KZfolYxRknr2gt95w7ggE7ZSMl6ljtll5l/HZllNPThbPXzU:glXMKYjUbKvRknqgHuMZlwj7XWdOZUtp
                                                                                                                                                              MD5:6F1CEEC074E31DB5B91D04713ABABA1D
                                                                                                                                                              SHA1:DEBC7F96FF2EB66F48683FB4F55520F53EC3F8C7
                                                                                                                                                              SHA-256:1A3825A26F50A1CA8FF147CCC4E32A384835D5A92ACC99E9FB94FC90413BED33
                                                                                                                                                              SHA-512:D093DE9BB1FA7238D6E63EBD5F33733CFEB3567C199719E8D93C07091ADA5C668D2999273A0DD4EF2C24BA1968B19D58B819F1DA47316F3A1F2819522B54D264
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: .... . ...".h.t.t.p.s.:././.a.d.m.i.n...p.h.i.s.h.p.r.o.o.f...c.o.m./.a.f.-.D.b.h.8.n.M.k...p.n.g.". .\.*. .M.E.R.G.E.F.O.R.M.A.T. .\.d.I.N.C.L.U.D.E.P.I.C.T.U.R.E. .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h.P.....j.....h.P..U....j.
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BBE8CFEB-DCB6-4DFA-A595-69EF3248CAE1}.tmp
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1024
                                                                                                                                                              Entropy (8bit):0.05390218305374581
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DB830B8B-C7EB-49F0-88BA-8AB6288329D9}.tmp
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1536
                                                                                                                                                              Entropy (8bit):0.19557280042116507
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:lly/nnjM/n/lLClk:WjMvY+
                                                                                                                                                              MD5:D3639E51845151C937FD5D3BBCF24993
                                                                                                                                                              SHA1:40472D691864544B1B85BF33D7DD7B076DF1FF7B
                                                                                                                                                              SHA-256:E95E1E45570B2FFB047C5D9CDBBCD054D00A42A6E27ECBD8B251F4F503C84918
                                                                                                                                                              SHA-512:44CFC72178F39FED4C345F94D8F74DE3886E384BD2752B84A5911C73E2D2D522D2B030C45ACB3FA1212ECF56BF6D48BD42345B6997B7896B4ECBE14BEEFC9336
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: ../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\af-Dbh8nMk[1].png
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:PNG image data, 848 x 1184, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):719675
                                                                                                                                                              Entropy (8bit):7.996898300210567
                                                                                                                                                              Encrypted:true
                                                                                                                                                              SSDEEP:12288:khSdZ8li0/LgtMVUv+NjBl0Q5x56AMIRJqNSrna5eoC9hgO6oWb/N8kJCXgsE/:kMdmVzQMOvSBl0Q536fGJa5RC9+O6eF4
                                                                                                                                                              MD5:167730B067E677A65BAAA3E1C317392B
                                                                                                                                                              SHA1:29ABFFFB01422F8CF9679ACCC4DF31891B79CE3E
                                                                                                                                                              SHA-256:0023C3DA70CDE56DBBADAD0C6A872A90D025A38B3AC1E66BC48120A1478B9008
                                                                                                                                                              SHA-512:928D6336F7911D9022576AF3F5196DEC9FF2FB1FD70C59ABF9E3603F09EE637E6D0322E7637A94CE0DA592D41AE041A499D30CBB8C5E82F0477426620C69AAE7
                                                                                                                                                              Malicious:false
                                                                                                                                                              IE Cache URL:https://admin.phishproof.com/af-Dbh8nMk.png
                                                                                                                                                              Preview: .PNG........IHDR...P................KiCCPICC Profile..H..W.TSI.[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ.(v.(......*.........3w......;..N.O*.Eu.....#BX.R.X.N@...9.-._.e..E.(.....u.(.+.J...._....|..8.3.r~.....K.RY>.D...../U.I...`..K.8K.K.8C.+U6....w.@..x.,.....U..<.7!v.....t....E<..........8d|../.!N./k..sQ.9T,...f........a..M$..W...v3gZ... .d..B...;.@e.1J.)"....)_.5.L.]...(.M!....Dk....p..p....|n.f.".<,A.Y#...;.3e..fn.O..?..Ibk.o...A..E...u...@....6.LyNB....).qb.md.xe.6...%.!j~lJ.,<^c/...-...1.\./J......T..A.,....y........a..KBI.&_.C......R...........bSyA.f............%...3.yc..... .p@(`..l.`.......K=..x@.....h4.3RT#..L.E.o..@>4/D5*..P.iH.~..L.h.jF.x.q.....B5K2.-.<...w..0.\.c...P...(.yY:...0b(1..Nt.M.@.....`..q..w0./..G.v...5B...Tq..|X`....59g|.3n.Y=..<..Cn.....|4....oO..h"Wf.-..r....;.+.....S......9.....R.1TW....9_UZ...o-.E.>.4v.;.....;.5c...J<....V..xU<9.G..?....r.z.n..|a.r...i.2q.(..;....G.`...........WL...a...+..C....../............_p/
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\af-Dbh8nMk[1].png
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:PNG image data, 848 x 1184, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):719675
                                                                                                                                                              Entropy (8bit):7.996898300210567
                                                                                                                                                              Encrypted:true
                                                                                                                                                              SSDEEP:12288:khSdZ8li0/LgtMVUv+NjBl0Q5x56AMIRJqNSrna5eoC9hgO6oWb/N8kJCXgsE/:kMdmVzQMOvSBl0Q536fGJa5RC9+O6eF4
                                                                                                                                                              MD5:167730B067E677A65BAAA3E1C317392B
                                                                                                                                                              SHA1:29ABFFFB01422F8CF9679ACCC4DF31891B79CE3E
                                                                                                                                                              SHA-256:0023C3DA70CDE56DBBADAD0C6A872A90D025A38B3AC1E66BC48120A1478B9008
                                                                                                                                                              SHA-512:928D6336F7911D9022576AF3F5196DEC9FF2FB1FD70C59ABF9E3603F09EE637E6D0322E7637A94CE0DA592D41AE041A499D30CBB8C5E82F0477426620C69AAE7
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: .PNG........IHDR...P................KiCCPICC Profile..H..W.TSI.[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ.(v.(......*.........3w......;..N.O*.Eu.....#BX.R.X.N@...9.-._.e..E.(.....u.(.+.J...._....|..8.3.r~.....K.RY>.D...../U.I...`..K.8K.K.8C.+U6....w.@..x.,.....U..<.7!v.....t....E<..........8d|../.!N./k..sQ.9T,...f........a..M$..W...v3gZ... .d..B...;.@e.1J.)"....)_.5.L.]...(.M!....Dk....p..p....|n.f.".<,A.Y#...;.3e..fn.O..?..Ibk.o...A..E...u...@....6.LyNB....).qb.md.xe.6...%.!j~lJ.,<^c/...-...1.\./J......T..A.,....y........a..KBI.&_.C......R...........bSyA.f............%...3.yc..... .p@(`..l.`.......K=..x@.....h4.3RT#..L.E.o..@>4/D5*..P.iH.~..L.h.jF.x.q.....B5K2.-.<...w..0.\.c...P...(.yY:...0b(1..Nt.M.@.....`..q..w0./..G.v...5B...Tq..|X`....59g|.3n.Y=..<..Cn.....|4....oO..h"Wf.-..r....;.+.....S......9.....R.1TW....9_UZ...o-.E.>.4v.;.....;.5c...J<....V..xU<9.G..?....r.z.n..|a.r...i.2q.(..;....G.`...........WL...a...+..C....../............_p/
                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Covid-19 Payroll Tax Adjustment.docx.LNK
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:46 2020, mtime=Tue Apr 20 02:48:57 2021, atime=Tue Apr 20 02:48:53 2021, length=10480, window=hide
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):2330
                                                                                                                                                              Entropy (8bit):4.741243794147691
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:8pwTUMSZmAY6+D8NOd7aB6mypwTUMSZmAY6+D8NOd7aB6m:8pPhZdY6nNOwB6ppPhZdY6nNOwB6
                                                                                                                                                              MD5:E1377F5C5772B28826E942C7C80E760B
                                                                                                                                                              SHA1:96B6CD086211644F40B108BE4D8352A04E2034EB
                                                                                                                                                              SHA-256:CAEA667BDB0B4FD3EDF9492D579E84EC2E2C8A25DB82CBC15603A49F808AB86E
                                                                                                                                                              SHA-512:A8149A6EAAC9651A09BB104F97EC786E00550CED5C9080300A33B6BE7DE79ADBD341D47917961AB82A49E279F1342E23BB0C53D0F4F52A6DEE0DB844AB44C0FE
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: L..................F.... ...'...:...].\..5.......5...(...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qyx..user.<.......Ny..R.......S....................!...h.a.r.d.z.....~.1.....>Qzx..Desktop.h.......Ny..R.......Y..............>.....<...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..(...R.. .COVID-~1.DOC..z......>Qxx.R......h.....................O.T.C.o.v.i.d.-.1.9. .P.a.y.r.o.l.l. .T.a.x. .A.d.j.u.s.t.m.e.n.t...d.o.c.x.......j...............-.......i...........>.S......C:\Users\user\Desktop\Covid-19 Payroll Tax Adjustment.docx..;.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.v.i.d.-.1.9. .P.a.y.r.o.l.l. .T.a.x. .A.d.j.u.s.t.m.e.n.t...d.o.c.x.........:..,.LB.)...As...`.......X.......364339...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...
                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):148
                                                                                                                                                              Entropy (8bit):4.999064477464734
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:HtoUc8RLo4RNpS+x+Uc8RLo4RNpSmxWtoUc8RLo4RNpSv:Ht35zRNphJ5zRNpg35zRNpc
                                                                                                                                                              MD5:680BB48C2D332FF413BB77B04D94553A
                                                                                                                                                              SHA1:4D8CD790650EF5664E61718569276A0FABCA1AB4
                                                                                                                                                              SHA-256:CAD5C1A06440183725413DC9CEBDD40AC249ED0581392D48DC7F059FFE2B367A
                                                                                                                                                              SHA-512:A78B4F3CEBACEE9C3C21A0916EEBB39AECBFB13ED715A799C8196A7018EF777972407D0C32336A3401564FE4F879CD7605453CD4F933AED9D8601B2D841F1BDC
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: [misc]..Covid-19 Payroll Tax Adjustment.docx.LNK=0..Covid-19 Payroll Tax Adjustment.docx.LNK=0..[misc]..Covid-19 Payroll Tax Adjustment.docx.LNK=0..
                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):1.9652066281034348
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/ZdTtvnt/XrbusMH:RtZRtntDKsE
                                                                                                                                                              MD5:AB357A56B9743CE398D511BE1DE632A8
                                                                                                                                                              SHA1:44105E555FB88A16CF1AEF69ECA0433D66D16E02
                                                                                                                                                              SHA-256:B80EC41C9CC51CDB050D719CF42D44E3A8731BD63CF02E5EAD412D8D57B27E19
                                                                                                                                                              SHA-512:EBE28A94D466752C6DF49361EA74C1450E8D9BADE23D1D96EA38ED8FA0B26190F6C0A536A462850C3B3C96B7EDDF2CF2908794D4D9052DA5001BF6FA9AC18A39
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h...........3...............................7.............................................H...
                                                                                                                                                              C:\Users\user\Desktop\~$vid-19 Payroll Tax Adjustment.docx
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):1.9652066281034348
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/ZdTtvnt/XrbusMH:RtZRtntDKsE
                                                                                                                                                              MD5:AB357A56B9743CE398D511BE1DE632A8
                                                                                                                                                              SHA1:44105E555FB88A16CF1AEF69ECA0433D66D16E02
                                                                                                                                                              SHA-256:B80EC41C9CC51CDB050D719CF42D44E3A8731BD63CF02E5EAD412D8D57B27E19
                                                                                                                                                              SHA-512:EBE28A94D466752C6DF49361EA74C1450E8D9BADE23D1D96EA38ED8FA0B26190F6C0A536A462850C3B3C96B7EDDF2CF2908794D4D9052DA5001BF6FA9AC18A39
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h...........3...............................7.............................................H...

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                              Entropy (8bit):7.778256600131332
                                                                                                                                                              TrID:
                                                                                                                                                              • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                              • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                              • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                                                              File name:Covid-19 Payroll Tax Adjustment.docx
                                                                                                                                                              File size:10480
                                                                                                                                                              MD5:f78e1a17152954d2c56e3de7f889065f
                                                                                                                                                              SHA1:9ad2cffb62540c6ad60eee087c97cc756949adfd
                                                                                                                                                              SHA256:606e7c0165678adb36211ad727f8d128577a06584034ee39402b9a931f457b06
                                                                                                                                                              SHA512:05089c96e04be77867cdadafc57a1a0a5f511ebbcae070237bd71302ed84ebb6f0051155ab8692d0ccc3eb639af4cfb58d58fd3f8cd74c08174b5168d0311073
                                                                                                                                                              SSDEEP:192:77t5Z7p6Enlo2QOFipslkaCkMo2rIoVk0ipVH8Lad8NXPEhMHsQO:Vj7p6ElzQJA5yIoGVcLhJPqEnO
                                                                                                                                                              File Content Preview:PK........4..R................docProps/PK........4..R.;q.............docProps/app.xml.S.n.!..W.?....Q.U.&..U9..%o.....QY@0..~}..x.Nz*.7.......K....l._..l.*.&4..V...v.ET..7....8b.7..'.I!b"..b..WbO..Rf......=..!u@....mk......'y9._K|!..6.q.....@.+..S.....YO.

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:74fcd0d2d6d6d0cc

                                                                                                                                                              Network Behavior

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Apr 19, 2021 20:48:58.219957113 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.347069025 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.347209930 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.397972107 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.540225983 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.540260077 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.540273905 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.540286064 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.540422916 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.540469885 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.584994078 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.713078022 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.713265896 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.721865892 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.889791965 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889822960 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889841080 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889857054 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889872074 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889892101 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889909983 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889925003 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889942884 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889954090 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.889955044 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889975071 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.889992952 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.890006065 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.890045881 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:58.890075922 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.016899109 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.016921997 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.016938925 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.016956091 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.016972065 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.016988039 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017008066 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017024994 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017040968 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017056942 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017076015 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017086983 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017086983 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017103910 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017121077 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017137051 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017153025 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017168045 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017180920 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017184019 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017200947 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017210960 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017220974 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017241001 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017246008 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017261028 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017278910 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017286062 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017296076 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.017324924 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.017365932 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.030447006 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.030541897 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144176960 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144205093 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144220114 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144236088 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144253016 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144268036 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144285917 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144287109 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144303083 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144321918 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144340038 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144350052 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144357920 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144373894 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144390106 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144397974 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144407034 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144419909 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144423962 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144440889 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144468069 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144476891 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144490957 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144494057 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144503117 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144515038 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144521952 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144532919 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144537926 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144555092 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144570112 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144573927 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144586086 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144598007 CEST49717443192.168.2.318.211.24.111
                                                                                                                                                              Apr 19, 2021 20:48:59.144602060 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144618988 CEST4434971718.211.24.111192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.144629955 CEST49717443192.168.2.318.211.24.111

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Apr 19, 2021 20:48:45.565915108 CEST5128153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:45.616995096 CEST53512818.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:46.254786968 CEST4919953192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:46.304349899 CEST53491998.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:46.361670017 CEST5062053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:46.428327084 CEST53506208.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:46.886351109 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:46.938867092 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:48.117469072 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:48.176450014 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:48.901540995 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:48.951107979 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:50.888322115 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:50.947396994 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:52.911545038 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:52.965044022 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:54.269659996 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:54.318880081 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:55.659423113 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:55.708086967 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:56.830710888 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:56.904211998 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:57.901072979 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:57.973083019 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.137242079 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:58.209566116 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:58.927730083 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:58.999527931 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.475279093 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:59.524192095 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:48:59.932493925 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:48:59.989589930 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:00.643106937 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:00.694710970 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:01.724956036 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:01.775633097 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:01.947566032 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:02.000557899 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:02.965059042 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:03.019781113 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:04.182295084 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:04.236326933 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:05.416647911 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:05.465311050 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:05.963485956 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:06.020745993 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:06.550812006 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:06.610017061 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:07.684772015 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:07.734131098 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:08.794676065 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:08.843288898 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:10.124777079 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:10.174350977 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:13.241785049 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:13.290599108 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:14.327954054 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:14.381567001 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:20.618103981 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:20.852917910 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:25.517956018 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:25.568382025 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:41.732152939 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:41.791014910 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:42.117032051 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:42.177131891 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:49.188390970 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:49.252140999 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:49:59.532999039 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:49:59.593077898 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:17.176367044 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:17.236253023 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:17.850091934 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:17.913037062 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:17.970172882 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:18.042728901 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:18.581006050 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:18.641315937 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:19.119294882 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:19.202680111 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:19.769747019 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:19.827630997 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:20.430726051 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:20.487646103 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:21.027590036 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:21.084788084 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:22.138075113 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:22.187180996 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:23.460191965 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:23.517492056 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:24.618679047 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:24.667346001 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:35.122631073 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:35.173568010 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                              Apr 19, 2021 20:50:37.020992041 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                              Apr 19, 2021 20:50:37.081214905 CEST53629388.8.8.8192.168.2.3

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                              Apr 19, 2021 20:48:58.137242079 CEST192.168.2.38.8.8.80xd6f1Standard query (0)admin.phishproof.comA (IP address)IN (0x0001)

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                              Apr 19, 2021 20:48:58.209566116 CEST8.8.8.8192.168.2.30xd6f1No error (0)admin.phishproof.com18.211.24.111A (IP address)IN (0x0001)

                                                                                                                                                              HTTPS Packets

                                                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                              Apr 19, 2021 20:48:58.540273905 CEST18.211.24.111443192.168.2.349717CN=*.phishproof.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USTue Apr 07 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018Fri Apr 08 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2031771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031

                                                                                                                                                              Code Manipulations

                                                                                                                                                              Statistics

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Start time:20:48:53
                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                              Imagebase:0xac0000
                                                                                                                                                              File size:1937688 bytes
                                                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Disassembly

                                                                                                                                                              Reset < >