Edit tour

Windows Analysis Report
Contract agreement.docx

Overview

General Information

Sample Name:	Contract agreement.docx
Analysis ID:	877007
MD5:	494ad369620d8b28dea9cc0d60b8f865
SHA1:	57c451f3c0af780141d663940d58c201cda2cf36
SHA256:	2390662435e396fea8f64f5d5cbf71f70e7c191b6568437a1b1f794846f316da
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 2228 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.aadrm.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.office.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://api.scheduler.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://augloop.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.entity.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cortana.ai
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://cr.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://d.docs.live.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://directory.services.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://graph.windows.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://invites.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://login.windows.local
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://management.azure.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://management.azure.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office365.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://tasks.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	String found in binary or memory: https://www.yammer.com

Source: ~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{653712DB-38ED-4DC1-9DA7-FB800F1E46E3} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: classification engine

Classification label: clean0.winDOCX@1/14@0/0

Source: ~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Contract agreement.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Contract agreement.docx

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Contract agreement.docx

Initial sample: OLE zip file path = word/media/image3.jpeg

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: ~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://d.docs.live.net	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://login.windows.local	0%	URL Reputation	safe
https://login.windows.local	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://api.officescripts.microsoftusercontent.com/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://login.microsoftonline.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://shell.suite.office.com:1443	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://autodiscover-s.outlook.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://cdn.entity.	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://powerlift.acompli.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://cortana.ai	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.aadrm.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.microsoftstream.com/api/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://cr.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://graph.ppe.windows.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://officeci.azurewebsites.net/api/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.scheduler.	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://globaldisco.crm.dynamics.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://messaging.engagement.office.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://dev0-api.acompli.net/autodetect	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://web.microsoftstream.com/video/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://dataservice.o365filtering.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://d.docs.live.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
http://weather.service.msn.com/data.aspx	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://apis.live.net/v5.0/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://messaging.lifecycle.office.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://pushchannel.1drv.ms	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://management.azure.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://outlook.office365.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://wus2.contentsync.	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://make.powerautomate.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.office.net	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://incidents.diagnosticssdf.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://entitlement.diagnostics.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://substrate.office.com/search/api/v2/init	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://outlook.office.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://login.windows.local	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://webshell.suite.office.com	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://management.azure.com/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://api.officescripts.microsoftusercontent.com/api	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	E2378251-1ECC-490A-AE06-13C8C0E20C40.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877007
Start date and time:	2023-05-28 14:20:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Contract agreement.docx
Detection:	CLEAN
Classification:	clean0.winDOCX@1/14@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.24, 20.126.106.131, 20.126.111.161
Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, officeclient.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E2378251-1ECC-490A-AE06-13C8C0E20C40

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	155810
Entropy (8bit):	5.35131570621066
Encrypted:	false
SSDEEP:	1536:X+C/FPgfTB7U9guw19Q9DQA+zQak4F77nXmvidlXRjE6Llz6y:+DQ9DQA+zTXWM
MD5:	F1042F3DBFAFD97E0EF7A2FECAFCB374
SHA1:	1C3CC7277F2283A2AA79119FD19154B321383A88
SHA-256:	F40B00222ACC03D343EC7EC7C679E42194256A1A067141CC97621EC50596439A
SHA-512:	334304334E66D2AD1836D57D0740E2D37524A19C41CD0C1D3D5C6E660C652C223CD920BA8275719D94077A3388BC0CE41F35FBAFF62E3845BD1A8558EBB3242A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-05-28T12:21:16">.. Build: 16.0.16521.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C0ADF3A8.jpeg

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 367x226, components 3
Category:	dropped
Size (bytes):	16041
Entropy (8bit):	7.908036013679057
Encrypted:	false
SSDEEP:	384:UJiwuzBzGFGiGn0Lo5x06rJJFQc/eDlLyT6iQp:UyzBMTGn0uRJJmc2hLs6iQp
MD5:	532ECCFDAB55D04C4A1F0C74DCE69AC0
SHA1:	082C285DF47E0FA97DE967F8FF44DF12962384DC
SHA-256:	CB024CFF62003E835785C68BCA97A29818DFF1FE58F46C91D5B6BF889752F951
SHA-512:	D9A4150EF19A6CA2B3A73E6FE0625C5F1C56B4D6365BBD2816A12D8EFF7F448D69855B9B1413BF07594A93757915FAC43D8566ABBF5DAEECB5FC87EAA5627D66
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C.........................................................................o.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l..#)..1..:...[lEU...rq....(.9..u..1..R.m....m_JZ(.....?.R..R.P.I....ho.2....F(.....4..).&...."..E.P.b.D...InNz.N...(..,....(...Z.(.....?.....h.6*.<0-.B..^....H.o.\...3H.VDV...g..ME.[..}B.(....E..Rm..P.E.P.E...P.E....(=(.....4...3E..W=......Y..B..m..R...=z...;T..j.P9....m.Q@..P(...sHI..h.i.w..~.....z.E....K@......@9.f.....QE...(...(..#..K.Y&.p....)c.2x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E3524F89.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 280 x 239, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	123518
Entropy (8bit):	7.994272940906965
Encrypted:	true
SSDEEP:	3072:/NuCUlIjWXRhoC0Sf9bHpUHgl7Ms7EWyljC/o6fvD:/rE9Z4gRMNW1/r
MD5:	6432EC45A44A1CE70C6D31D7910B3D8B
SHA1:	8BC88D78CB0231AFC15BE30E292A0663411C8624
SHA-256:	60AB53BD284207BE4197833C4F8B1632F860BA0183C52C9B8E0608BCED63BB14
SHA-512:	4F536E910627D7D6BF4D9D2F43E08BF5E85536C2FA55B531640D589C323B25C74EA9BA79781799036DF014B2C5CEFF6AA9DBFB4844FF6FF2F7D2C248970890B6
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............\.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...`..?..Y.]i.+ff.,..L...i.&m...I..I.h.@.N....eK....+.....r....}............{.=.s>.....y.o..a....}...C..5....q..7....<.u...F.A4...-s..i.....~\|l...w..$::.pE...U...6.>~..%$.45...v.qR1..c......5....\.388......[....;..6zz.z.W^\|O......<..aA....9o.5... E....D...5 .7.Y.h#'4.&.= .o,.........o...'+.j....O.:..o..F..q.3......-l.c..0~..%..T.jy.9hD...u..o../O.4.....](...........z...EK.,......NHL.x{PP.....8.4.2..;oK.Z:TTt.'vTW.GF.....Q.....Z........V...k.9?".....8E".+.x...1=-.8.R.kLQ..\.n.7.Y.J................~.F......_\....Lnv.`....^..Nb;.Fg...E..[.....}xxxEu.O..+WFG.`.... }[k.F.JI4...E....[..e..i...............O..t.$.....R.....=..(....JG....Y.9...}.....]...o....O.t...U.3.}....qc^C.c..bB........A.?}JjLR..0..}.g.F.....wD.k.o .g.j.>.W.8D...).....lA!...{.=Pn6.>.....+I).)I>p..o.$..bZR..v9.,Jx.......4.#.3.7H._r......2=.....5S..q.R.....\|........Fo..BHA!R.%.g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F077D70A.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 225 x 225, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1872
Entropy (8bit):	7.820973115519834
Encrypted:	false
SSDEEP:	48:rZD2m8v+zT16rTGv6bYOx4cicaV2fs6QV4oJX:NDjzTYrRYupvaEs6roJX
MD5:	3DDCCDFCD959C07AB9A2F7778923DFB9
SHA1:	D6D40BC9AEF8DB200A9612B7D5794E3CE3FAACE1
SHA-256:	E701C4434517707206E3DAD5D1E84249B423F0C932B79F1CE71E434B227D6240
SHA-512:	D8BC7418C461B81FBC20D7D3BCDFC4EB22E76CEAD6391049D6363DD4909EC2770BE024BF73395097090C514C245C91730C01B5BDA886BB6B6FB8B4085B7C3C9D
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............m"H....PLTE......=...V..O.4...........{..9...S.(.......F.............Y..6g...........A..J.....D..@.......N........@m..}....k..Ov...............E..........u..\|..c..)_....It.q..a...b..R_6...ZIDATx...m{.6..`.8).).....H.u.ei.u....a....D.........:..@..O.>}....').j>.l..U.}$.i...?......r>...;....Q.e:..=!.S.#.....{4..... ...kSo......[..2^.}..v...C.Dd....Z.1.X01.X,1.X(1.X$1.X 1.X.1.X...,....D...!...1.".8`.D,.N../..9.).YO.i..7.0.F..f...,....a.R..kTz`f....Qy..5*.0.F..f...,......T'.....@U..P.(.T#.....@..,P.(..'.....@Q..P....#.....@...P...d'.....+ub=c.n.w.Fv..Q.h...]P0.....>ac.VZ..2.....>.........1._.z.8+_.3R..f.kCg....h}....y.............J.......U....xG.t#....rt.....d0.3.\|...(.......Y.q\.\|6..g.....N\|..6..R..@N#./....e....]@.#./...9..Fz_,...4..Zb.M...TF..........@.#..%...q\|....0...X.o.#\|6..Cc.}...../...\..Fy.."{..h.../.a.O...:r..>..7.m.B.hL..T..RJ(..>[.O..n.J(SG..~....&......,..m>D\...2B}....s........w..l......\.;..f..s....../1>+..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F5BDE783.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 1054 x 274, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12033
Entropy (8bit):	7.814046314403372
Encrypted:	false
SSDEEP:	192:Yo6IjAHr7WP4702cGwLM3nYQYHtbi+YssYWs5/OryMSHgg4QvuG6Td3V2Sa6Vti:WbHr7Wk09inYfHtbi+YuOGMygg4V5dE3
MD5:	1982F2115020E93B3AAF65C919E5E7B1
SHA1:	8E4AF970E33E083E62FB1D9FA709C59E876FDB23
SHA-256:	B310B9D089845E82397A55AF32151F3A20B7B20AE6634C84C3B03B0267DAE9F9
SHA-512:	269BDA663C90B7454F942615ACC283CC4D0DAF292E1BAA430593ADE534B8007AF430FFB66ACE0AABFDB2B9C4F6A880703FA12B82112D45AB86757CF54A5C81FF
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............Z\......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.._.e.}.p.I.L.XQp"gp.pjI...B.8.P.,?.B.k.!!.1C...}q!c=......`l..Pj.N....y.B\..n.B..-..4.8J...Vk...WZ+:..3s.9{......}Fsu.>k..w.....y..{.....x].....`p..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................hF.....4#x......<...........f.....@3..................h..7o>^......7.?..o_....7.../...O\|.W.(......<p.W^z....&H.0...~..q..}....u(/~./%..B...0E...}./...l8j.p....~........L..a$.V8..7}...o{..*....F.0........DYmB.....S...ejE..!RI...z.J...........{....>$..>...0..C'.C.M.....W~.....@7.......?z.............M!t.T>.....)........z.8.F..:l..._..~........t..SO=\|...7n.8Q........^..{.....3'xh`.C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3613836054883338
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	679672A5004E0AF50529F33DB5469699
SHA1:	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0
SHA-256:	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
SHA-512:	F8615C5E5CF768A94E06961C7C8BEF99BEB43E004A882A4E384F5DD56E047CA59B963A59971F78DCF4C35D1BB92D3A9BC7055BFA3A0D597635DE1A9CE06A3476
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{49097DBA-61CE-4F33-B2AF-5793A6014A01}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CE067D91-02EC-4E41-8AC4-21DD82903665}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.9745296251023903
Encrypted:	false
SSDEEP:	384:plmL56u5fvg+e9DsiXnI9Vp2CdkBg4GvGLuHUNLCrpecSsk/z:/6SDL
MD5:	47FF555FE2115329E0C1681771928BB9
SHA1:	3CD3CC66BDD9E79353155E416D62BB411F33C491
SHA-256:	ED152BECDEEF81F9498A2DCEF725EA2B9E63A840C3DAD68B112B03590D692830
SHA-512:	A86912719AD2C0497BE63F853B11CDF34FEDD75352F83E5960D59988E7FAA733A10F4A5F5B3EE154D434331848238631467DE2246E9DA4F28D0A4303619EA282
Malicious:	false
Preview:	................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>................./. . . . . . . . . . . ........... . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...M.O.N.E.Y. .B.A.C.K.........K.R.Y.P.T.O.B.E.T.A.L.N.I.N.G. .A.V.S.E.T.T. ...............................................................................................................................................................................L...b...d...f...h....................................................................................................................................................................................................................................................................................................................................................................$...Q.^.Q.a$.gd.~.......$.a$.gd.VI......$.a$.gd

C:\Users\user\AppData\Local\Temp\mso7F57.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Contract agreement.docx.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 20:39:35 2022, mtime=Sun May 28 20:21:17 2023, atime=Sun May 28 20:21:15 2023, length=178975, window=hide
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	4.71513904584517
Encrypted:	false
SSDEEP:	24:8cZAIXgu6IqrQ6PgQ1UARNhQ7D83ges7aB6m:8WXWRYAjRju0B6
MD5:	3F4E319184E7D71D4360251192DC551D
SHA1:	62A7F54DD0881B5B735A7AAC1C0CB24257FFBB2B
SHA-256:	F8A9EA5303670748919CE754B1654F023901FCF75CDCE77D45C89C56285D5E6B
SHA-512:	F162F592D37892D53F761909BC168EF0BA1FC93C2CFCA516BC4F9FBD25146BC317707AFEF9ACB0E83923C8E0537A86CC772C3A0A71DD7B21582C1CAC95AA5DBD
Malicious:	false
Preview:	L..................F.... ...:....... 4.W.......U.................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...V......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U...user.<.......Ny..V.......S....................q.X.h.a.r.d.z.....~.1......U....Desktop.h.......Ny..V.......Y..............>.......".D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2......V.. .CONTRA~1.DOC..`.......U.V.......Y....................oZ..C.o.n.t.r.a.c.t. .a.g.r.e.e.m.e.n.t...d.o.c.x.......]...............-.......\...........>.S......C:\Users\user\Desktop\Contract agreement.docx........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.n.t.r.a.c.t. .a.g.r.e.e.m.e.n.t...d.o.c.x.........:..,.LB.)...As...`.......X.......980108...........!a..%.H.VZAj...q.............-..!a..%.H.VZAj...q.............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Generic INItialization configuration [misc]
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.648051626731679
Encrypted:	false
SSDEEP:	3:bDuMJl+EUGjrjRNpSmxWt7GjrjRNpSv:bCYjrrpgCjrrpc
MD5:	207988F3F81E7E0C79C3CE9F245F632C
SHA1:	A5F71CE0748B71F494D12BEF93586DC3C1C63B9D
SHA-256:	320967400402F287FDE052864B3185D9E843C417B6FA41015AD3F3A90AF25A72
SHA-512:	4D4BA8F62B75E80F128E5010A05C6CAC78BD9E60282D0559D2DDC92B0332A15D25EE680852F4AA078B744B5922ADEE25F4A55E9D78486AB72728DCFA6C7AACAA
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Contract agreement.docx.LNK=0..[misc]..Contract agreement.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	1.8563910986378818
Encrypted:	false
SSDEEP:	3:Rl/Zdl79/Il6BrklolRhlXln:RtZnK6xjP
MD5:	6EFE444A9F69B0D5589CE382A8DD805F
SHA1:	BC8EEDDC826041394DF78A391AC05D23368628E6
SHA-256:	583C7E4B175E6FAED403DF48A1B485E03F05F2CA2F05F9F3A95E36EB8A5936DB
SHA-512:	529F5FA827E206D8E0271BADD03716338097FE3A88A3B0009847D030ED9227C160A933CB9F1F3A5F6A42AEEBAC3907D72EEF763DD17973BF44A26CF8684FD441
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........2.u.=..................................................~...}......................

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$ntract agreement.docx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	1.8563910986378818
Encrypted:	false
SSDEEP:	3:Rl/Zdl79/Il6BrklolRhlXln:RtZnK6xjP
MD5:	6EFE444A9F69B0D5589CE382A8DD805F
SHA1:	BC8EEDDC826041394DF78A391AC05D23368628E6
SHA-256:	583C7E4B175E6FAED403DF48A1B485E03F05F2CA2F05F9F3A95E36EB8A5936DB
SHA-512:	529F5FA827E206D8E0271BADD03716338097FE3A88A3B0009847D030ED9227C160A933CB9F1F3A5F6A42AEEBAC3907D72EEF763DD17973BF44A26CF8684FD441
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........2.u.=..................................................~...}......................

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.954541983842944
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Contract agreement.docx
File size:	178975
MD5:	494ad369620d8b28dea9cc0d60b8f865
SHA1:	57c451f3c0af780141d663940d58c201cda2cf36
SHA256:	2390662435e396fea8f64f5d5cbf71f70e7c191b6568437a1b1f794846f316da
SHA512:	f91a2a536d161880aca47b18970aea6d795ff0c345cfa26401a936b9ecddf500100fbd0460b82fe5f75dbf4296e1cfdbb2c690bc07a0345c51009094c21ded82
SSDEEP:	3072:2lNuCUlIjWXRhoC0Sf9bHpUHgl7Ms7EWyljC/o6fv5MTT3hegIHTulufd2o:2lrE9Z4gRMNW1/Q7hegIHTPd2o
TLSH:	080412EDE850EC17EAE34A758E44D6F5BBB8251282806DD367C0EF7C467094783069DE
File Content Preview:	PK..........!.6...............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	35f5a5a6a4a6a5a5

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 2228, Parent PID: 800

General

Target ID:	0
Start time:	14:21:15
Start date:	28/05/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xdd0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Contract agreement.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E2378251-1ECC-490A-AE06-13C8C0E20C40

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C0ADF3A8.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E3524F89.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F077D70A.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F5BDE783.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{74B12600-5E18-46AC-A8F8-33C374F6DA66}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{49097DBA-61CE-4F33-B2AF-5793A6014A01}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CE067D91-02EC-4E41-8AC4-21DD82903665}.tmp

C:\Users\user\AppData\Local\Temp\mso7F57.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Contract agreement.docx.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$ntract agreement.docx

Static File Info

General

File Icon

Network Behavior

Statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 2228, Parent PID: 800

General

Disassembly

Windows Analysis Report
Contract agreement.docx