Edit tour

Windows Analysis Report
H565rymIuO.doc

Overview

General Information

Sample name:	H565rymIuO.doc renamed because original name is a hash value
Original sample name:	25fe7ce806195948532624d2c2462ec952da03a3312abd79de06aa2423da03f8.docx.doc
Analysis ID:	1585126
MD5:	162dd4e4ed6c0ef700b3c95385b5dc0a
SHA1:	1afc58e221337c3f8b18dc97e3156f8dbcc7d119
SHA256:	25fe7ce806195948532624d2c2462ec952da03a3312abd79de06aa2423da03f8
Tags:	docuser-zhuzhu0009
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7424 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

splwow64.exe (PID: 7272 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

Acrobat.exe (PID: 4564 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 1020 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7564 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1628,i,12917579598302854451,16205094258031201980,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49741, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7424, Protocol: tcp, SourceIp: 104.21.74.191, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:00:31.139877+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.74.191	443	TCP
2025-01-07T06:00:32.734610+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.74.191	443	TCP
2025-01-07T06:00:33.393281+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.74.191	443	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:00:32.230249+0100	1810005	1	Potentially Bad Traffic	192.168.2.4	49742	104.21.74.191	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: H565rymIuO.doc

ReversingLabs: Detection: 28%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.4:49742 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org

Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443

Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49742
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49746
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49747
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.4:49748
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 104.21.74.191:443

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49742 -> 104.21.74.191:443

Source: Joe Sandbox View

IP Address: 104.21.74.191 104.21.74.191

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.74.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.74.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.74.191:443

Source: global traffic	HTTP traffic detected: GET /bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: acesso.runConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: acesso.runConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: acesso.run
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 05:00:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f4nSKkpaCGVjL5BN4HxeD7qBSTdqN8NNYfpoAUrZR%2FtaUxgDcJgcCkmOG%2FI6hQj23I9eXMrJ9g2ubXUAlyHl9FPz8IEUBXHGwRWGVFiDhWSBS3aAKBmSwZhoJFKm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fe162854a886a5e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1583&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=919&delivery_rate=1790312&cwnd=187&unsent_bytes=0&cid=636c565d03f5dca1&ts=202&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 05:00:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k21thlJ02v4fq30wgNkg%2FVjjuwMw8kyF6CIhhd22o33gYRy%2Bw1j1yLfDZdL5obgue605iMO%2B23pQLejJFKwSjXZKO55gJqrP4s5JUnTixta2cKO57ilqAx5uAG5Q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fe1628e09e1f793-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1462&min_rtt=1457&rtt_var=557&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=752&delivery_rate=1944074&cwnd=152&unsent_bytes=0&cid=7b51643410143d2f&ts=178&x=0"

Source: 2D85F72862B55C4EADD9E66E06947F3D0.10.dr

String found in binary or memory: http://x1.i.lencr.org/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: classification engine

Classification label: mal64.expl.evad.winDOC@18/49@4/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$65rymIuO.doc

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{04C2B3AE-8DD9-4F92-90F9-5CB2C24EAC25} - OProcSessId.dat

Jump to behavior

Source: H565rymIuO.doc	OLE indicator, Word Document stream: true
Source: H565rymIuO.doc	OLE indicator, Word Document stream: true

Source: H565rymIuO.doc	OLE document summary: title field not present or empty
Source: H565rymIuO.doc	OLE document summary: edited time not present or 0
Source: H565rymIuO.doc	OLE document summary: title field not present or empty
Source: H565rymIuO.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: H565rymIuO.doc

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1628,i,12917579598302854451,16205094258031201980,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1628,i,12917579598302854451,16205094258031201980,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: H565rymIuO.doc	Initial sample: OLE zip file path = word/_rels/header2.xml.rels
Source: H565rymIuO.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: H565rymIuO.doc	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: H565rymIuO.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: H565rymIuO.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://acesso.run/bkeoxh?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	13 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H565rymIuO.doc	29%	ReversingLabs	Document-Office.Trojan.Heuristic

Source	Detection	Scanner	Label	Link
https://acesso.run/bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust	0%	Avira URL Cloud	safe
https://acesso.run/404	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
acesso.run	104.21.74.191	true	true		unknown
x1.i.lencr.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://acesso.run/404	true	Avira URL Cloud: safe	unknown
https://acesso.run/bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.10.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.74.191	acesso.run	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585126
Start date and time:	2025-01-07 05:59:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H565rymIuO.doc renamed because original name is a hash value
Original Sample Name:	25fe7ce806195948532624d2c2462ec952da03a3312abd79de06aa2423da03f8.docx.doc
Detection:	MAL
Classification:	mal64.expl.evad.winDOC@18/49@4/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.76.243, 23.56.254.164, 20.42.73.31, 52.109.32.46, 52.109.32.39, 52.109.32.47, 52.109.32.38, 95.100.110.78, 95.100.110.68, 23.56.252.213, 2.16.168.105, 2.16.168.107, 52.22.41.97, 3.219.243.226, 3.233.129.217, 52.6.155.20, 172.64.41.3, 162.159.61.3, 23.209.209.135, 20.109.210.53, 40.126.32.74, 13.107.246.45, 23.47.168.24
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdeus21.eastus.cloudapp.azure.com, acroipm2.adobe.com, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, officeclient.microsoft.com, templatesmetadata.office.net, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: H565rymIuO.doc

Simulations

Behavior and APIs

Time	Type	Description
00:00:52	API Interceptor	8x Sleep call for process: splwow64.exe modified
00:01:08	API Interceptor	1x Sleep call for process: AcroCEF.exe modified

LLM Input / Output

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " ", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " ", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": true, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.74.191	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	tuong.me/wp-login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
acesso.run	A & C Metrology OC 545714677889Materiale.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	172.67.162.95
	PO.2407010.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	172.67.162.95
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	104.21.74.191
	AWB-M09CT560.docx.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	AWB-M09CT560.docx.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.162.95
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.162.95
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.74.191
	0001.xls	Get hash	malicious	Remcos	Browse	172.67.162.95
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	172.67.162.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	104.26.0.123
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	x86_64.elf	Get hash	malicious	Mirai	Browse	8.44.60.50
	sh4.elf	Get hash	malicious	Mirai	Browse	162.158.206.216
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	104.17.247.203

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.74.191
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.74.191
	sEG2xXpg0X.xlsm	Get hash	malicious	Unknown	Browse	104.21.74.191
	Drivespan.dll	Get hash	malicious	Unknown	Browse	104.21.74.191
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse	104.21.74.191
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.74.191
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.74.191
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	104.21.74.191
	title.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	104.21.74.191
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.74.191
37f463bf4616ecd445d4a1937da06e19	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse	104.21.74.191
	287438657364-7643738421.08.exe	Get hash	malicious	Unknown	Browse	104.21.74.191
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse	104.21.74.191
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.74.191
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse	104.21.74.191
	2749837485743-7684385786.05.exe	Get hash	malicious	Unknown	Browse	104.21.74.191
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.21.74.191
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.21.74.191
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	104.21.74.191

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.117986050595108
Encrypted:	false
SSDEEP:	6:iOpFaeCVq2Pwkn2nKuAl9OmbnIFUtLFaXfYgZmwlFaXmYIkwOwkn2nKuAl9Ombjd:7pFaTvYfHAahFUtLFaPh/lFa275JfHAR
MD5:	0F70D5FF267944B8772CC3BAFC106E1D
SHA1:	10E21C69AB6519421F51E947010D530B476BD608
SHA-256:	F677F1565AB7A33B649568F8958378E867CE8C1F8B17EF9A3BF522EF8134B748
SHA-512:	222FD958DCF22F5F787EB4C24355D57F3391177729274EDED3D47E864D7A6DAFF11DFC23C58CC41D9AA752F167F81CDEF1F4534679492CD227F04BBDC79921FC
Malicious:	false
Reputation:	low
Preview:	2025/01/07-00:00:55.358 14e0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-00:00:55.360 14e0 Recovering log #3.2025/01/07-00:00:55.361 14e0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.655933165847645
Encrypted:	false
SSDEEP:	3:KVGl/lilKlRAGlLv3WQtQdD9yvpbTnCkfnqfn:KVy/4KDdnpT7in
MD5:	EEAFC1805283A30AF0351E19379DB8D7
SHA1:	159175EB78A95AEE5D36362A4B1C7637B8A89DD3
SHA-256:	A40E210B70B16D23D9FEA5BF8172C1B2681628BD6503E7E783150407BD1C6A60
SHA-512:	789525A0767099393BF028BCE9BD918DBBE971C555CFA9980D6FDDCA4A463B29FA146550F64D196D93BA1A4D6F82269CA16CC8152446EF5FF2B4BE11E883799C
Malicious:	false
Preview:	.user..................................................j.o.n.e.s.........GQ.e.GET..!J.D@BZ..Q1""K......`......1*H...D.I.I'...`...........&z.}..i......y..=.i

File type:	Microsoft Word 2007+
Entropy (8bit):	7.997560538515653
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	H565rymIuO.doc
File size:	772'883 bytes
MD5:	162dd4e4ed6c0ef700b3c95385b5dc0a
SHA1:	1afc58e221337c3f8b18dc97e3156f8dbcc7d119
SHA256:	25fe7ce806195948532624d2c2462ec952da03a3312abd79de06aa2423da03f8
SHA512:	9f0a61a472232c6ed8dfcc4573a52143221862abcd282c82129047621a9fb547ca9a0d3058e2fd61151ec4c7254b0dbf67bb537b40314eec7ec21496292e147e
SSDEEP:	12288:PgQZ2ZnS2Q57FPCSX3IOwatF3UhqmecJ3baH5d8nncr9/KU4SEkgqCzPrF2:P4ZSLBqK3UeF3UVTJ2wncdJ4SEkgqcJ2
TLSH:	83F423C60EEF903481B9FFF413414CA3B5B229265B2945433B78D51C6EF84BAC796A78
File Content Preview:	PK.........a]Ys"P)............[Content_Types].xmlUT..... g.. g.. g.V.N.0.._....E.[...j.....n.......d.....7.B..B....9.1s.vF..k...I{W.a5`.8..v..=Ln.sV$.N....l..]....&... .K5.#...'9.+R..8Zi\|...5.x..I.....g\z........;2....^D...t....7.....":V\..,]3...R ../N}.-

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	4
Total Edit Time:	0
Create Time:	2024-10-29T02:17:00Z
Last Saved Time:	2024-10-29T06:44:00Z
Number of Pages:	1
Number of Words:	12
Number of Characters:	71
Creating Application:	Microsoft Office Word
Security:	0

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

General
Stream Path:	\x1Ole10Native
CLSID:
File Type:	data
Stream Size:	721346
Entropy:	7.687301120111189
Base64 Encoded:	True
Data ASCII:	. . . . . 2 4 0 9 2 4 ? ? ? ? ? ? ? ? ? ? ? ? ? . p d f . C : \\ U s e r s \\ 9 1 9 7 4 \\ O n e D r i v e \\ D e s k t o p \\ W o r d F i l e \\ N E W F I L E S \\ 2 4 0 9 2 4 ? ? ? ? ? ? ? ? ? ? ? ? ? . p d f . . . . . = . . . C : \\ U s e r s \\ 9 1 9 7 4 \\ A p p D a t a \\ L o c a l \\ T e m p \\ 2 4 0 9 2 4 ? ? ? ? ? ? ? ? ? ? ? ? ? . p d f . . . % P D F - 1 . 7 . % . . . . 1 0 o b j . < < / A c r o F o r m 6 4 0 R / M e t a d a t a 6 3 0 R / P a g e s 3 0 R / T y p
Data Raw:	be 01 0b 00 02 00 32 34 30 39 32 34 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 20 3f 3f 3f 3f 2e 70 64 66 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 37 34 5c 4f 6e 65 44 72 69 76 65 5c 44 65 73 6b 74 6f 70 5c 57 6f 72 64 46 69 6c 65 5c 4e 45 57 46 49 4c 45 53 5c 32 34 30 39 32 34 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 20 3f 3f 3f 3f 2e 70 64 66 00 00 00 03 00 3d 00 00 00 43 3a 5c 55 73 65 72 73 5c 39

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	56395
Entropy:	7.879183004467334
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . . 4 0 o b j . ( I d e n t i t y ) . e n d o b j . 5 0 o b j . ( A d o b e ) . e n d o b j . 8 0 o b j . < < . / F i l t e r / F l a t e D e c o d e . / L e n g t h 3 1 7 3 8 . / L e n g t h 1 4 0 2 7 6 0 . / T y p e / S t r e a m . > > . s t r e a m . x } . \| \\ U 9 r % . I 2 Y & I I t . i i . $ ) P V v , H A _ ~ . . . / " L d u m = = s = . . A . ! ? * l X _ . . . } . . z . f , ^ > z 6 4 # / . \\ m 3 . . # { . l 8 . 0 } F . E . 6 o } . . ? a ? . k . . " . q . Z . [
Data Raw:	25 50 44 46 2d 31 2e 37 0a 0a 34 20 30 20 6f 62 6a 0a 28 49 64 65 6e 74 69 74 79 29 0a 65 6e 64 6f 62 6a 0a 35 20 30 20 6f 62 6a 0a 28 41 64 6f 62 65 29 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 4c 65 6e 67 74 68 20 33 31 37 33 38 0a 2f 4c 65 6e 67 74 68 31 20 34 30 32 37 36 30 0a 2f 54 79 70 65 20 2f

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:00:30.674509048 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:30.674540043 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:30.674665928 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:30.675307035 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:30.675323009 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.139712095 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.139877081 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.172694921 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.172733068 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.173075914 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.185197115 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.231342077 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.327296019 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.327404976 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.327505112 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.550482988 CET	49741	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.550513029 CET	443	49741	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.604218960 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.604264975 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:31.604346037 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.605643988 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:31.605663061 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.071098089 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.071177959 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.084322929 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.084352016 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.084651947 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.084763050 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.085813999 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.131325006 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.230254889 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.230349064 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.230365038 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.230391979 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.230432034 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.230458975 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.232358932 CET	49742	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.232373953 CET	443	49742	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.250757933 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.250797033 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.250938892 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.251204014 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.251219988 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.733855009 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.734610081 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.734637976 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.735639095 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.735649109 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.924501896 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.924596071 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.924662113 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.924799919 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.924824953 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.924839973 CET	49744	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.924849033 CET	443	49744	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.926666975 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.926716089 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:32.926964045 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.927227020 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:32.927251101 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.392750978 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.393280983 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.393312931 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.394257069 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.394263029 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.588969946 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.589056015 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.589152098 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.589287043 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.589308023 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.589318037 CET	49746	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.589327097 CET	443	49746	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.670447111 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.670490980 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:33.670597076 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.670972109 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:33.670989037 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.136698008 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.136850119 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.141027927 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.141038895 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.141597986 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.141602993 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.335009098 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.335086107 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.335568905 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.335592031 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.335592031 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.343667030 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.343715906 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.343832970 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.344075918 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.344086885 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.642595053 CET	49747	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.642630100 CET	443	49747	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.826239109 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.826534033 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.826981068 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.826987982 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:34.827388048 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:34.827393055 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000188112 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000281096 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000314951 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000349998 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000468969 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.000468969 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.000468969 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.000482082 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000550032 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.000699997 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.001907110 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.001924038 CET	443	49748	104.21.74.191	192.168.2.4
Jan 7, 2025 06:00:35.001939058 CET	49748	443	192.168.2.4	104.21.74.191
Jan 7, 2025 06:00:35.002041101 CET	49748	443	192.168.2.4	104.21.74.191

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:00:30.657018900 CET	64164	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:00:30.673280001 CET	53	64164	1.1.1.1	192.168.2.4
Jan 7, 2025 06:01:08.225682020 CET	55178	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:01:24.348793983 CET	58985	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:01:48.424173117 CET	57899	53	192.168.2.4	1.1.1.1

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:31 UTC	323	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: acesso.run
2025-01-07 05:00:31 UTC	1008	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 05:00:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Allow: GET,HEAD cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kbHNUKqlWtfxqGyZFlZLoqMJvymRF7tpbEfHVn%2BUIPyA8PMa2Bb4UN6vinpHXbT5Hn6dtYIhdKmmV9nZRlU5nXQRxTFEhHmGNXb4LkkdkytGmjlI%2BFqibLKRliKv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe162773c4342da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1740&rtt_var=668&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2824&recv_bytes=937&delivery_rate=1619523&cwnd=227&unsent_bytes=0&cid=23210e710b744b8b&ts=199&x=0"
2025-01-07 05:00:31 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-01-07 05:00:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:32 UTC	226	OUT	OPTIONS / HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: acesso.run Content-Length: 0 Connection: Keep-Alive
2025-01-07 05:00:32 UTC	1012	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 05:00:32 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Allow: GET,HEAD cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Fdw13gy2PxZ8HXEa%2BjI9kxDrvbowFh%2F%2FNKiTv2FEkuHKgTXLf5yr9e%2BCClYRu1ym0JtycUkqpo56zFkZpnDk3xsAfbJ43JWeny8igSSmvhl4JO1EQzItNPg0Is6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe1627cdb6378e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1776&rtt_var=690&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=840&delivery_rate=1557333&cwnd=230&unsent_bytes=0&cid=4a3e1c7f281f8674&ts=166&x=0"
2025-01-07 05:00:32 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-01-07 05:00:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:32 UTC	433	OUT	HEAD /bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: acesso.run
2025-01-07 05:00:32 UTC	1032	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 07 Jan 2025 05:00:32 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 38 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /404 Vary: Accept cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sbIX4aqkyYmRXJ5PdYWZGLQjnogY206227iS0GblVyRs3Wxvuoa8y%2F2dKW7NUlCTk3%2BQ0VT6vZvoUjrs6BFSwQzhhGuOGYkTQC7OuqidVyCVSwjd7YP0ln%2F8VRim"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe162811fd94398-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1601&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=1047&delivery_rate=1823860&cwnd=230&unsent_bytes=0&cid=d2fd1441b4d82d0b&ts=195&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:33 UTC	305	OUT	HEAD /404 HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: acesso.run
2025-01-07 05:00:33 UTC	1016	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 05:00:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Powered-By: Next.js Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f4nSKkpaCGVjL5BN4HxeD7qBSTdqN8NNYfpoAUrZR%2FtaUxgDcJgcCkmOG%2FI6hQj23I9eXMrJ9g2ubXUAlyHl9FPz8IEUBXHGwRWGVFiDhWSBS3aAKBmSwZhoJFKm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe162854a886a5e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1583&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=919&delivery_rate=1790312&cwnd=187&unsent_bytes=0&cid=636c565d03f5dca1&ts=202&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:34 UTC	298	OUT	GET /bkeoxH?&bondsman=troubled&shrimp=harsh&sewer=tense&cold=warlike&briefs=unsuitable&oasis=numberless&cowbell=rough&airport=lowly&dust HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: acesso.run Connection: Keep-Alive
2025-01-07 05:00:34 UTC	1029	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 07 Jan 2025 05:00:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 38 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /404 Vary: Accept cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTYSCKvSc7dpc1j6Im6xG1aaqOZJ2%2F4xnBfcll2FdM5G3kQII1Z9eVxjSGUJEVYKhgrWLTTUVlMSkjXUYJ%2FoaH3Wktq48TBZMG8fE0V48cUECqvRuWiU7ibumgL0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe16289defd431f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1631&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=880&delivery_rate=1790312&cwnd=250&unsent_bytes=0&cid=28a01e6ccf9223da&ts=204&x=0"
2025-01-07 05:00:34 UTC	38	IN	Data Raw: 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f 34 30 34 Data Ascii: Moved Permanently. Redirecting to /404

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:00:34 UTC	170	OUT	GET /404 HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: acesso.run Connection: Keep-Alive
2025-01-07 05:00:34 UTC	1046	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 05:00:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Powered-By: Next.js Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k21thlJ02v4fq30wgNkg%2FVjjuwMw8kyF6CIhhd22o33gYRy%2Bw1j1yLfDZdL5obgue605iMO%2B23pQLejJFKwSjXZKO55gJqrP4s5JUnTixta2cKO57ilqAx5uAG5Q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe1628e09e1f793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1462&min_rtt=1457&rtt_var=557&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=752&delivery_rate=1944074&cwnd=152&unsent_bytes=0&cid=7b51643410143d2f&ts=178&x=0"
2025-01-07 05:00:34 UTC	323	IN	Data Raw: 31 32 32 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 53 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 75 6e 64 65 66 69 6e 65 64 20 69 73 20 61 20 66 72 65 65 20 61 6e 64 20 6f 70 65 6e 20 73 6f 75 72 63 65 20 55 52 4c 20 73 68 6f 72 74 65 6e 65 72 20 77 69 74 68 20 63 75 73 74 6f 6d 20 64 6f 6d 61 Data Ascii: 1225<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/><meta name="description" content="undefined is a free and open source URL shortener with custom doma
2025-01-07 05:00:34 UTC	1369	IN	Data Raw: 3d 4e 75 6e 69 74 6f 3a 33 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 39 36 78 31 39 36 22 20 68 72 65 66 3d 22 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 2d 31 39 36 78 31 39 36 2e 70 6e 67 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 68 72 65 66 3d 22 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 36 78 31 36 22 20 68 72 65 66 3d 22 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 2d 31 36 78 31 36 2e 70 6e 67 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d Data Ascii: =Nunito:300,400,700" rel="stylesheet"/><link rel="icon" sizes="196x196" href="/images/favicon-196x196.png"/><link rel="icon" sizes="32x32" href="/images/favicon-32x32.png"/><link rel="icon" sizes="16x16" href="/images/favicon-16x16.png"/><link rel="apple-
2025-01-07 05:00:34 UTC	1369	IN	Data Raw: 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6e 65 78 74 2d 68 65 61 64 2d 63 6f 75 6e 74 22 20 63 6f 6e 74 65 6e 74 3d 22 33 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 75 6d 32 32 67 32 4c 50 38 4b 6f 30 6a 6b 31 76 48 72 50 43 63 2f 70 61 67 65 73 2f 5f 61 70 70 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 72 75 6e 74 69 6d 65 2f 77 65 62 70 61 63 6b 2d 31 63 35 31 39 39 66 66 36 36 35 35 30 64 32 36 65 34 39 39 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 2f 3e 3c 6c 69 Data Ascii: could not be found</title><meta name="next-head-count" content="3"/><link rel="preload" href="/_next/static/um22g2LP8Ko0jk1vHrPCc/pages/_app.js" as="script"/><link rel="preload" href="/_next/static/runtime/webpack-1c5199ff66550d26e499.js" as="script"/><li
2025-01-07 05:00:34 UTC	1369	IN	Data Raw: 68 31 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 39 70 78 3b 68 65 69 67 68 74 3a 34 39 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 22 3e 3c 68 32 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 22 3e 54 68 69 73 20 70 61 67 65 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 21 2d 2d 20 2d 2d 3e 2e 3c 2f 68 32 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e Data Ascii: h1><div style="display:inline-block;text-align:left;line-height:49px;height:49px;vertical-align:middle"><h2 style="font-size:14px;font-weight:normal;line-height:inherit;margin:0;padding:0">This page could not be found... -->.</h2></div></div></div></div>
2025-01-07 05:00:34 UTC	223	IN	Data Raw: 61 37 33 30 66 63 34 35 32 39 36 61 32 30 2e 6a 73 22 20 61 73 79 6e 63 3d 22 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 75 6d 32 32 67 32 4c 50 38 4b 6f 30 6a 6b 31 76 48 72 50 43 63 2f 5f 62 75 69 6c 64 4d 61 6e 69 66 65 73 74 2e 6a 73 22 20 61 73 79 6e 63 3d 22 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 75 6d 32 32 67 32 4c 50 38 4b 6f 30 6a 6b 31 76 48 72 50 43 63 2f 5f 73 73 67 4d 61 6e 69 66 65 73 74 2e 6a 73 22 20 61 73 79 6e 63 3d 22 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: a730fc45296a20.js" async=""></script><script src="/_next/static/um22g2LP8Ko0jk1vHrPCc/_buildManifest.js" async=""></script><script src="/_next/static/um22g2LP8Ko0jk1vHrPCc/_ssgManifest.js" async=""></script></body></html>
2025-01-07 05:00:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:00:18
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xc50000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	00:00:55
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H565rymIuO.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\eae424d8-8c78-4696-9d50-7bbbc6142782.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.1668

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.1668

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Windows Analysis Report
H565rymIuO.doc

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre