Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
510005940.docx.doc

Overview

General Information

Sample name:510005940.docx.doc
Analysis ID:1573919
MD5:67f78042b36c5d41502cfd819aed40e1
SHA1:ec975782a7a39b1e10f1433f11ec779ee4ec2be5
SHA256:72ac05718b08dd894d6d3a54ddaf012464042b50c80acdd5fcaf4ca462cb9d85
Tags:docuser-smica83
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
AI detected landing page (webpage, office document or email)
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Office viewer loads remote template
Sigma detected: Suspicious Microsoft Office Child Process
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3380 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EXCEL.EXE (PID: 3968 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EXCEL.EXE (PID: 4020 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • verclsid.exe (PID: 300 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
  • EXCEL.EXE (PID: 3116 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EXCEL.EXE (PID: 2176 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3380, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 300, ProcessName: verclsid.exe
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3380, Protocol: tcp, SourceIp: 172.67.163.184, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3380, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3380, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 510005940.docx.docReversingLabs: Detection: 13%

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Screenshot id: 9Joe Sandbox AI: Page contains button: 'CLICK HERE' Source: 'Screenshot id: 9'
Source: Screenshot id: 9Joe Sandbox AI: Screenshot id: 9 contains prominent button: 'click here'
Source: Screenshot id: 11Joe Sandbox AI: Page contains button: 'CLICK HERE' Source: 'Screenshot id: 11'
Source: Screenshot id: 11Joe Sandbox AI: Screenshot id: 11 contains prominent button: 'click here'
Source: unknownHTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source: global trafficDNS query: name: jktc.pro
Source: global trafficDNS query: name: jktc.pro
Source: global trafficDNS query: name: jktc.pro
Source: global trafficDNS query: name: jktc.pro
Source: global trafficDNS query: name: jktc.pro
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.21.34.183:443
Source: global trafficTCP traffic: 104.21.34.183:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.67.163.184:443
Source: global trafficTCP traffic: 172.67.163.184:443 -> 192.168.2.22:49164
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: global trafficHTTP traffic detected: GET /NegyN8 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: jktc.proConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{414307C9-CCAC-4463-B74B-0E4CB521FCB7}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /NegyN8 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: jktc.proConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: jktc.pro
Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
Source: unknownHTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: ~WRF{9945ABC2-2805-4E13-A648-B6F3E342AC7F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal76.expl.evad.winDOC@7/15@5/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$0005940.docx.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6C3.tmpJump to behavior
Source: 510005940.docx.docOLE indicator, Word Document stream: true
Source: G 50 06-2024 SKIKDA.xlsx.0.drOLE indicator, Workbook stream: true
Source: 510005940.docx.docOLE document summary: title field not present or empty
Source: ~WRF{9945ABC2-2805-4E13-A648-B6F3E342AC7F}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{9945ABC2-2805-4E13-A648-B6F3E342AC7F}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: 510005940.docx.docReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5Jump to behavior
Source: C:\Windows\System32\verclsid.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\verclsid.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\verclsid.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\verclsid.exeSection loaded: rpcrtremote.dllJump to behavior
Source: 510005940.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\510005940.docx.doc
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 510005940.docx.docInitial sample: OLE zip file path = word/media/image2.emf
Source: 510005940.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet5.xml.rels
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: G 50 06-2024 SKIKDA.xlsx.0.drInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: 510005940.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\jktc.pro@SSL\DavWWWRootJump to behavior
Contains an external reference to another file
Source: settings.xml.relsExtracted files from sample: https://jktc.pro/negyn8
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 3120Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 3120Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\verclsid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager3
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
510005940.docx.doc13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://jktc.pro/NegyN80%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jktc.pro
172.67.163.184
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://jktc.pro/NegyN8false
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    172.67.163.184
    		jktc.proUnited States
    		13335CLOUDFLARENETUStrue
    104.21.34.183
    		unknownUnited States
    		13335CLOUDFLARENETUSfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1573919
    Start date and time:2024-12-12 17:55:03 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 53s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:12
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:510005940.docx.doc
    Detection:MAL
    Classification:mal76.expl.evad.winDOC@7/15@5/2
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Active ActiveX Object
    • Active ActiveX Object
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: 510005940.docx.doc

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:57:32API Interceptor6x Sleep call for process: verclsid.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    172.67.163.1844lXTg8P7Ih.elfGet hashmaliciousMiraiBrowse
    • /tmUnblock.cgi
    104.21.34.183Quotation.xlsGet hashmaliciousUnknownBrowse
    • bom.so/4yoxhH

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    CLOUDFLARENETUSinstaller.exeGet hashmaliciousUnknownBrowse
    • 172.67.74.152
    https://liveisdestiny.me/librarydll2.exeGet hashmaliciousHTMLPhisherBrowse
    • 104.16.79.73
    https://liveisdestiny.me/librarydll2.exeGet hashmaliciousHTMLPhisherBrowse
    • 104.16.80.73
    z3oPvgjvyN.exeGet hashmaliciousLummaC StealerBrowse
    • 172.67.206.64
    Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
    • 172.67.207.38
    https://t.co/srDcIXmUyAGet hashmaliciousUnknownBrowse
    • 172.66.0.227
    https://docs.google.com/presentation/d/e/2PACX-1vRMxSBYgTIj7bH-OYJSKudpxaekmSD6B-b603kyy-2ygb7TXyfRQC-hU8fjYDSrrObCUBq88ZmRswwh/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
    • 172.67.134.110
    NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdfGet hashmaliciousUnknownBrowse
    • 162.247.243.29
    file.exeGet hashmaliciousVidarBrowse
    • 172.64.41.3
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 104.21.79.7
    CLOUDFLARENETUSinstaller.exeGet hashmaliciousUnknownBrowse
    • 172.67.74.152
    https://liveisdestiny.me/librarydll2.exeGet hashmaliciousHTMLPhisherBrowse
    • 104.16.79.73
    https://liveisdestiny.me/librarydll2.exeGet hashmaliciousHTMLPhisherBrowse
    • 104.16.80.73
    z3oPvgjvyN.exeGet hashmaliciousLummaC StealerBrowse
    • 172.67.206.64
    Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
    • 172.67.207.38
    https://t.co/srDcIXmUyAGet hashmaliciousUnknownBrowse
    • 172.66.0.227
    https://docs.google.com/presentation/d/e/2PACX-1vRMxSBYgTIj7bH-OYJSKudpxaekmSD6B-b603kyy-2ygb7TXyfRQC-hU8fjYDSrrObCUBq88ZmRswwh/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
    • 172.67.134.110
    NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdfGet hashmaliciousUnknownBrowse
    • 162.247.243.29
    file.exeGet hashmaliciousVidarBrowse
    • 172.64.41.3
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 104.21.79.7

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    05af1f5ca1b87cc9cc9b25185115607dinvoice09850.xlsGet hashmaliciousRemcosBrowse
    • 104.21.34.183
    • 172.67.163.184
    Invoice A037.xlsGet hashmaliciousUnknownBrowse
    • 104.21.34.183
    • 172.67.163.184
    Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
    • 104.21.34.183
    • 172.67.163.184
    NESTLE_MEXICO_Purchase_Order_10122024.xlsGet hashmaliciousUnknownBrowse
    • 104.21.34.183
    • 172.67.163.184
    FATR98765678000.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 104.21.34.183
    • 172.67.163.184
    Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
    • 104.21.34.183
    • 172.67.163.184
    Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
    • 104.21.34.183
    • 172.67.163.184
    Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
    • 104.21.34.183
    • 172.67.163.184
    Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
    • 104.21.34.183
    • 172.67.163.184
    Estado de cuenta.xlsGet hashmaliciousUnknownBrowse
    • 104.21.34.183
    • 172.67.163.184
    7dcce5b76c8b17472d024758970a406bDocument.xlaGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    xeroxscan.DocxGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    xeroxscan.DocxGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    invoice09850.xlsGet hashmaliciousRemcosBrowse
    • 172.67.163.184
    Document.xla.xlsxGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    Invoice A037.xlsGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    tqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
    • 172.67.163.184
    Document.xla.xlsxGet hashmaliciousUnknownBrowse
    • 172.67.163.184
    Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
    • 172.67.163.184
    Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
    • 172.67.163.184

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025571619284967973
    Encrypted:false
    SSDEEP:6:I3DPcqDu9vxggLR7bNiiXplDRXv//4tfnRujlw//+GtluJ/eRuj:I3DP9yRXJiQbvYg3J/
    MD5:3CA24BDD46A952820D875786170FC172
    SHA1:AEA568FC2D29C1CD8061041C25A3F51ABF6C7EE0
    SHA-256:101EF746EC6E21A05435E749D790232B3B204C39E86BC1E9A705B8BC0D9AE0AA
    SHA-512:F82B31575F6F8DD88C825845F4F8C6FA7B48C3CCA891FEB5D8BDFB8C68CEAC64484171CAD28474B79ADCDCF139AFB8566388843671BADBC8C03202C00A5867DF
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zU93.o.O.....c..S,...X.F...Fa.q.............................A. .=.G.$.L%8*i...........>.C.J.`..^.S".....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C3870D7.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):3217764
    Entropy (8bit):2.662795084566888
    Encrypted:false
    SSDEEP:6144:mwy8+1KoyO7oqtl3CcDL1O5PRcYH1Om96BCbgT4oyA7oqtl3CcBL1OrPRcYH1O4i:a1L71NSj1OmUTb71/4j1O4i
    MD5:546FEAA5D9AC3346B59E656ECBA180DD
    SHA1:80E87CD9B6AE92201E88EC6634CD2BEE64C10B4D
    SHA-256:5174B392DD049C87B7F9AF817AB17AD1F232B0A8900A277E91CD91DDEDF3B532
    SHA-512:1B1F7ECE91D6D12C073715C22FADD47CBE4952AB4F137E3A9AE71F01D8E050BBB99263B7C8743CDD6A27DEE3FD2C559B5FC8C7965A8D5406ECD1FC526FCE1980
    Malicious:false
    Reputation:low
    Preview:....l...............M...........)...7... EMF....d.1.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................N..."...........!...................................................N..."...........!...................................................N..."...........!...................................................N..."...........!...................................................N...'......................%..........................................................L...d...........q...............r.......!..............?...........?................................'.......................%...........(.......................L...d...q...............q...........

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\60D264EC.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):7392
    Entropy (8bit):5.625010366507759
    Encrypted:false
    SSDEEP:96:3q1blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHuRY:3oTNAK4oOIGbK1RvVwPAWmOH1
    MD5:617A127B3E0FDEF0778C2F508CDA7B41
    SHA1:149784230B2202BBF25EDBEEC1D53085F1F50EA1
    SHA-256:DB6E0B643E7DF2ADF770109C59829A2DAE15B58902C7F3AB837973158CD55DF4
    SHA-512:EEBD6039B4BCA2B545586BEB617D90E238B0106EB18BE41E0AF3D33B44CEFC0787DF5CCABA07105216C8178705209460AD17FD2306958B916F9BD162EB334A8B
    Malicious:false
    Reputation:low
    Preview:....l...............<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d....................u...u....t....\....u......u.<.u.7..t.....u.\\.u?..t.......t.\.....w8y............u....w....$.....a.d.......t.u.*X.t.....X.t@t..8y..x......-...$.u.6=.w................<.\w.[Pw....X.Z.....\........................Qwdv......%...................................r.......[...........'...[.......(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9945ABC2-2805-4E13-A648-B6F3E342AC7F}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):123392
    Entropy (8bit):7.386059216741003
    Encrypted:false
    SSDEEP:3072:sy6ahWg9g3tytSV7oPIIy6ahWg9G3tytSV7oPI:syXPy3dVEPIIyXPU3dVEPI
    MD5:C11E82E4D2C6831FCD8400733068FF54
    SHA1:923F7D0F4ABF376CD125D87DC7C9071D81987D4F
    SHA-256:371BFAC915D1EF96CA6663689D1C4CDFEB8DD9D50C165B747AC9CC7FCF057E8D
    SHA-512:D45904DF5D6C96CAA7E41A4D853A5C6A712FEAB8659E947C03090A99548C505C4111BDEAF1CC917C725A0724709D1F1DF023179C5FA2CE58D5C207B6FE413C7F
    Malicious:false
    Reputation:low
    Preview:......................>...................................&...................z...................................................................................................................................................................................................................................................................................................................................................................................................................................................(....................................................................................................................... ...!..."...#...$...%...............w...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v.......x...y.......

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{414307C9-CCAC-4463-B74B-0E4CB521FCB7}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{483C3B01-330A-496E-AC1F-674126684E7D}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.0567364186808914
    Encrypted:false
    SSDEEP:6:3pk65ygFpUElClDA2233jlll7lEe2SZeO4XwPxZSu20:3ptyKpUMClDr6bFlEe2WesZSV0
    MD5:D69C1F221607DD41D6FE509B8C728D83
    SHA1:4EF6F702A13D065111AF8EEE63F9E81A6544EBAB
    SHA-256:709D4FF5423F43CFE20184A941C2A9AD39CECD81D22A5228CE04CB06006A50E8
    SHA-512:7325680AED61D5789AEF4942359661AB0400638647925A825EBC6F16C2B4F0EBECBD2E9AE43A15B410ED7349C608CB55DA224B49E0BB398B90C3BB228A1569CA
    Malicious:false
    Preview:....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . .....E.M.B.E.D. .P.a.c.k.a.g.e..... . ...5.4.=.5...5._.2.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\G 50 06-2024 SKIKDA.xlsx

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Microsoft Excel 2007+
    Category:dropped
    Size (bytes):38971
    Entropy (8bit):7.714275544485921
    Encrypted:false
    SSDEEP:768:fIn6WqQw0TJ7t7XGvdfBwEhkY2FXV7hyZK7pSOqJqb:A6t0tytSEqlF7oZTpIb
    MD5:D002DEB2631FFD8072C540692E5990F4
    SHA1:97D66B498849964BD44CE33DE14AF5A26F44331B
    SHA-256:84A720AE192846078648C7445B123CFF9DF3B89BCA032B7329EC46874C2A8A4C
    SHA-512:DBE2D4872F6824C731062D68BA302014EA09D1C0C271382238FEF68F8E7291503C8414D19344D1F156072A1D2227ED3DD932CE8B7EE9AF3EBCC3C1750DF923C0
    Malicious:false
    Preview:PK..........!....V....K.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V_O.0.......uJ\.L.j..l......}m.:..;J..)....D./...?..|..e..$...........Y).>.....Iy.\.P.....|.2~\E..g{,EE...D]A....<.LC...g...\.@..F?....SN....oa...e...{...z...5T.P1:...P....I..S....\3t.1.2X.P.,3.. bc(....G.*xf+.+...[....>.x.mR/.a.AC....v......^%..j^\.t.%..S..b7.k..AQ+.7.......}..,........Dt|?...'...t.'9.....0{..i...>.-.>.J%0...s6......0..k._..h.....S.(7.C.k.a....=......,.].[2.{..3...<.y0....6..7._D..%....M\.t

    C:\Users\user\AppData\Local\Temp\G 50 06-2024 SKIKDA.xlsx:Zone.Identifier

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:gAWY3n:qY3n
    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
    Malicious:false
    Preview:[ZoneTransfer]..ZoneId=3..

    C:\Users\user\AppData\Local\Temp\{5D6CF06C-0EFA-4564-BA87-D9EC461E1A2A}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025446767844716812
    Encrypted:false
    SSDEEP:6:I3DPcayvxggLRn2tlxIEJbtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPZELRE1TvYg3J/
    MD5:3F1F1EF54992D044E118314FF80ACDB6
    SHA1:D09564C7E689F21015D4EAE6306C316D8934400A
    SHA-256:C33466852F7E77ECF4DB82457103AD8E52DBB332C100798A4E6665A8E2D1D787
    SHA-512:04389E39AA0FB2B01F7E5B834DC13FF140DFF4B4529A6D3C9711F435D754C659716351E919322CD2C3A8C62B9A3B4B3D789489D441E53610FA124B926B486608
    Malicious:false
    Preview:......M.eFy...z...}..'K..@3.')S,...X.F...Fa.q..................................E./d.$..;............pBkB.GOe.W.E.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\{91DD65DA-5860-41C2-8BAF-3CE91D16D113}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025571619284967973
    Encrypted:false
    SSDEEP:6:I3DPcqDu9vxggLR7bNiiXplDRXv//4tfnRujlw//+GtluJ/eRuj:I3DP9yRXJiQbvYg3J/
    MD5:3CA24BDD46A952820D875786170FC172
    SHA1:AEA568FC2D29C1CD8061041C25A3F51ABF6C7EE0
    SHA-256:101EF746EC6E21A05435E749D790232B3B204C39E86BC1E9A705B8BC0D9AE0AA
    SHA-512:F82B31575F6F8DD88C825845F4F8C6FA7B48C3CCA891FEB5D8BDFB8C68CEAC64484171CAD28474B79ADCDCF139AFB8566388843671BADBC8C03202C00A5867DF
    Malicious:false
    Preview:......M.eFy...zU93.o.O.....c..S,...X.F...Fa.q.............................A. .=.G.$.L%8*i...........>.C.J.`..^.S".....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~$G 50 06-2024 SKIKDA.xlsx

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.4377382811115937
    Encrypted:false
    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
    MD5:797869BB881CFBCDAC2064F92B26E46F
    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
    Malicious:false
    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\510005940.docx.LNK

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:39 2023, mtime=Fri Aug 11 15:42:39 2023, atime=Thu Dec 12 15:56:29 2024, length=481243, window=hide
    Category:dropped
    Size (bytes):1034
    Entropy (8bit):4.531817575041476
    Encrypted:false
    SSDEEP:12:8gACk1tgXg/XAlCPCHaXaZBnB/J0X+WlKlji1R8icvbEd+L8Im1RUDtZ3YilMMEk:8DZ/XTQlkqmr3enirUDv3qo457u
    MD5:C14B6074DA2A08A4C875B52780380175
    SHA1:9F8DB795A14E5376E57F70A1B5BA55DF8DC0A4DF
    SHA-256:5BE829D565487AF43362A1D0DB1C7340BAD2ADD32FE11533E73D21FAF87CAC69
    SHA-512:5C344A55FB3B92162DCCFF584E6CD29E3470B66274E226BA3860B59DF484A2695A2FECED7D4E24127C3FDF1EEE35BB0E3052AFDEE5A0A1F970BD774139A313D2
    Malicious:false
    Preview:L..................F.... ...+,..r...+,..r......L...W...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Y....user.8......QK.X.Y..*...&=....U...............A.l.b.u.s.....z.1......WV...Desktop.d......QK.X.WV.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2..W...Y.. .510005~1.DOC..R.......WT..WT.*.........................5.1.0.0.0.5.9.4.0...d.o.c.x...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\571345\Users.user\Desktop\510005940.docx.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.5.1.0.0.0.5.9.4.0...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......571345..........D_....3N...W...9..W.e8...8.....[D_

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Generic INItialization configuration [folders]
    Category:dropped
    Size (bytes):62
    Entropy (8bit):4.2449355289185355
    Encrypted:false
    SSDEEP:3:M1QU/DLZFSm4p/DLZFSv:Ma+LZFSLZFc
    MD5:9446CB834BD4071437A17A258EDA4523
    SHA1:3625CC041E15933AB025FDB1C2CD8A3652C1E0D9
    SHA-256:8A3B4AE034F0D3469FB968F853B3F808EB4087AA94885ABC1C03DDBDD1393545
    SHA-512:F83E31717362B46AC8B685DAE4FFC5D69C48BCF54F5EE4F56CE891BC04ACE37BB51F7090E43ED2A0158EFFAF807454D6AF3E573C53456AF6A9ED9C8867F76FDF
    Malicious:false
    Preview:[doc]..510005940.docx.LNK=0..[folders]..510005940.docx.LNK=0..

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
    MD5:C4615A023DC40AFFAEAE6CF07410BB43
    SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
    SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
    SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    C:\Users\user\Desktop\~$0005940.docx.doc

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
    MD5:C4615A023DC40AFFAEAE6CF07410BB43
    SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
    SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
    SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    Static File Info

    General

    File type:Microsoft Word 2007+
    Entropy (8bit):7.9928224160378125
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 58.23%
    • Word Microsoft Office Open XML Format document (27504/1) 32.35%
    • ZIP compressed archive (8000/1) 9.41%
    File name:510005940.docx.doc
    File size:481'243 bytes
    MD5:67f78042b36c5d41502cfd819aed40e1
    SHA1:ec975782a7a39b1e10f1433f11ec779ee4ec2be5
    SHA256:72ac05718b08dd894d6d3a54ddaf012464042b50c80acdd5fcaf4ca462cb9d85
    SHA512:e8619d408d9ddccb239c34700bb59ee0f8d7cab9d6d46c11282cd27119fba62c0048a9090ced8a6aeec694f0a0ff997a880e13cabd2a4e8710fd071210935774
    SSDEEP:12288:RqQ4HETQNC4qJbQF5+ouR5DDj/rtcfxXZ:I3HEyC4qJ8X+zVY
    TLSH:4AA4233072DD1B24E61F56BB8A0528ACF1D43D6EC72C9F7A12725AD8BD33B0E46D1909
    File Content Preview:PK........lr.YU...............[Content_Types].xmlUT.....Zg..Zg..Zg.TKO.0..#...|E.....5...G@...\{.z./y.h.=..T..)P.$.g..<.......2..Zq..D.AGc......._.BR.(...b.(.'?N..U........t!%..x.ML.8.....g.....5.y>...:..@5..1._C...U..|.;.. ..>.H.B...V.a.....:v..`.~..i...

    File Icon

    Icon Hash:2764a3aaaeb7bdbf

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "510005940.docx.doc"

    Indicators
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False
    Summary
    Title:
    Subject:
    Author:91974
    Keywords:
    Template:Normal.dotm
    Last Saved By:91974
    Revion Number:3
    Total Edit Time:2
    Create Time:2024-12-11T10:06:00Z
    Last Saved Time:2024-12-12T08:48:00Z
    Number of Pages:1
    Number of Words:8
    Number of Characters:49
    Creating Application:Microsoft Office Word
    Security:0
    Document Summary
    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:false
    Company:Grizli777
    Contains Dirty Links:false
    Shared Document:false
    Changed Hyperlinks:false
    Application Version:12.0000

    Streams

    Stream Path: \x1Ole10Native, File Type: data, Stream Size: 39490
    General
    Stream Path:\x1Ole10Native
    CLSID:
    File Type:data
    Stream Size:39490
    Entropy:7.696361051343165
    Base64 Encoded:True
    Data ASCII:> . . . . G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . C : \\ U s e r s \\ 9 1 9 7 4 \\ O n e D r i v e \\ D e s k t o p \\ W o r d F i l e \\ N E W F I L E S \\ G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . . . . . = . . . C : \\ U s e r s \\ 9 1 9 7 4 \\ A p p D a t a \\ L o c a l \\ T e m p \\ G 5 0 0 6 - 2 0 2 4 S K I K D A . x l s x . ; . . P K . . . . . . . . . . ! . . V . . . K . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:3e 9a 00 00 02 00 47 20 35 30 20 20 20 30 36 2d 32 30 32 34 20 53 4b 49 4b 44 41 2e 78 6c 73 78 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 37 34 5c 4f 6e 65 44 72 69 76 65 5c 44 65 73 6b 74 6f 70 5c 57 6f 72 64 46 69 6c 65 5c 4e 45 57 46 49 4c 45 53 5c 47 20 35 30 20 20 20 30 36 2d 32 30 32 34 20 53 4b 49 4b 44 41 2e 78 6c 73 78 00 00 00 03 00 3d 00 00 00 43 3a 5c 55 73 65 72 73 5c 39
    Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
    General
    Stream Path:\x3ObjInfo
    CLSID:
    File Type:data
    Stream Size:6
    Entropy:1.2516291673878228
    Base64 Encoded:False
    Data ASCII:. . . . . .
    Data Raw:00 00 03 00 01 00

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 12, 2024 17:56:35.809855938 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:35.809931993 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:35.809992075 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:35.817104101 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:35.817157984 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:37.056581974 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:37.056757927 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:37.062489986 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:37.062501907 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:37.062808037 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:37.062858105 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:37.166054010 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:37.211332083 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:38.258178949 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:38.258261919 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:38.258542061 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:38.258708954 CET49161443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:38.258733988 CET44349161172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:39.463581085 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:39.463690042 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:39.463778973 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:39.474323988 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:39.474359989 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:40.697741032 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:40.697973967 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:40.702111959 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:40.702143908 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:40.702512980 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:40.708328962 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:40.751334906 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:41.407982111 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:41.408152103 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:41.408370018 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:41.409861088 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:41.409924030 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:41.409962893 CET49162443192.168.2.22104.21.34.183
    Dec 12, 2024 17:56:41.409981966 CET44349162104.21.34.183192.168.2.22
    Dec 12, 2024 17:56:46.902764082 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:46.902867079 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:46.902951002 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:46.904072046 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:46.904107094 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:48.147475958 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:48.147629976 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:48.151071072 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:48.151077986 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:48.151405096 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:48.164747953 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:48.207334995 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:49.387587070 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:49.387659073 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:49.388005018 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:49.456172943 CET49163443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:49.456208944 CET44349163172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:51.906503916 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:51.906559944 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:51.906621933 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:51.906922102 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:51.906934977 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.173290014 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.175059080 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.176414967 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.176425934 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.177759886 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.177764893 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.914602041 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.914659977 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.914688110 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.914704084 CET44349164172.67.163.184192.168.2.22
    Dec 12, 2024 17:56:53.914736986 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.914762974 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.914762974 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.914849997 CET49164443192.168.2.22172.67.163.184
    Dec 12, 2024 17:56:53.914865017 CET44349164172.67.163.184192.168.2.22

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 12, 2024 17:56:35.225234985 CET5456253192.168.2.228.8.8.8
    Dec 12, 2024 17:56:35.805675983 CET53545628.8.8.8192.168.2.22
    Dec 12, 2024 17:56:38.495520115 CET5291753192.168.2.228.8.8.8
    Dec 12, 2024 17:56:39.077852964 CET53529178.8.8.8192.168.2.22
    Dec 12, 2024 17:56:39.079833031 CET6275153192.168.2.228.8.8.8
    Dec 12, 2024 17:56:39.460971117 CET53627518.8.8.8192.168.2.22
    Dec 12, 2024 17:56:46.385755062 CET5789353192.168.2.228.8.8.8
    Dec 12, 2024 17:56:46.741241932 CET53578938.8.8.8192.168.2.22
    Dec 12, 2024 17:56:46.745258093 CET5482153192.168.2.228.8.8.8
    Dec 12, 2024 17:56:46.892107964 CET53548218.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Dec 12, 2024 17:56:35.225234985 CET192.168.2.228.8.8.80x1228Standard query (0)jktc.proA (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:38.495520115 CET192.168.2.228.8.8.80xc99bStandard query (0)jktc.proA (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:39.079833031 CET192.168.2.228.8.8.80x7368Standard query (0)jktc.proA (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.385755062 CET192.168.2.228.8.8.80xc083Standard query (0)jktc.proA (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.745258093 CET192.168.2.228.8.8.80x1100Standard query (0)jktc.proA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 12, 2024 17:56:35.805675983 CET8.8.8.8192.168.2.220x1228No error (0)jktc.pro172.67.163.184A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:35.805675983 CET8.8.8.8192.168.2.220x1228No error (0)jktc.pro104.21.34.183A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:39.077852964 CET8.8.8.8192.168.2.220xc99bNo error (0)jktc.pro104.21.34.183A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:39.077852964 CET8.8.8.8192.168.2.220xc99bNo error (0)jktc.pro172.67.163.184A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:39.460971117 CET8.8.8.8192.168.2.220x7368No error (0)jktc.pro172.67.163.184A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:39.460971117 CET8.8.8.8192.168.2.220x7368No error (0)jktc.pro104.21.34.183A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.741241932 CET8.8.8.8192.168.2.220xc083No error (0)jktc.pro172.67.163.184A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.741241932 CET8.8.8.8192.168.2.220xc083No error (0)jktc.pro104.21.34.183A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.892107964 CET8.8.8.8192.168.2.220x1100No error (0)jktc.pro104.21.34.183A (IP address)IN (0x0001)false
    Dec 12, 2024 17:56:46.892107964 CET8.8.8.8192.168.2.220x1100No error (0)jktc.pro172.67.163.184A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • jktc.pro

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.2249161172.67.163.1844433380C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-12 16:56:37 UTC130OUTOPTIONS / HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: jktc.pro
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-12 16:56:38 UTC961INHTTP/1.1 504 Gateway Time-out
    Date: Thu, 12 Dec 2024 16:56:38 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f8AKzg2FTDJMF5D%2Fve9b0HK7hoHB9dnukFzo%2FgLSDbugVIydhRza4X6DQfT07xJJpxiwKAz919VbIOJSIf9U1fPCkzvyDYeGUVeOntH7I15umytbc%2Fn5qPV92Q%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 8f0f3fb15bee72a4-EWR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=1929&min_rtt=1917&rtt_var=743&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2803&recv_bytes=744&delivery_rate=1449131&cwnd=207&unsent_bytes=0&cid=9a166fc265f7aa15&ts=1217&x=0"
    2024-12-12 16:56:38 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 34
    Data Ascii: error code: 504


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.2249162104.21.34.1834433380C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-12 16:56:40 UTC115OUTHEAD /NegyN8 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: jktc.pro
    2024-12-12 16:56:41 UTC964INHTTP/1.1 504 Gateway Time-out
    Date: Thu, 12 Dec 2024 16:56:41 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TJnNHdJ%2FHyGGeeI%2BBqp35K2xROrsb7lDmiXQVN8aG224529qgDcHIHmdZsE18v4aRxeA%2Bv44H0ADkkwGwME1M%2BTL3vQumJ6PB1zZWRh7aeaiIMrdKbp%2B571EVw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 8f0f3fc81ed94411-EWR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1594&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2803&recv_bytes=729&delivery_rate=1772920&cwnd=235&unsent_bytes=0&cid=cea13146aff4d9d8&ts=718&x=0"


    Session IDSource IPSource PortDestination IPDestination Port
    2192.168.2.2249163172.67.163.184443
    TimestampBytes transferredDirectionData
    2024-12-12 16:56:48 UTC125OUTOPTIONS / HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: jktc.pro
    2024-12-12 16:56:49 UTC967INHTTP/1.1 504 Gateway Time-out
    Date: Thu, 12 Dec 2024 16:56:49 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q7iElQni7Y97HETF%2FXVxD0yX40jQf%2B9PJD4AmTu8Mn%2FVFjBS0%2FrmEN8Vbo6db5HN7S3rFZ82pCe%2FsAB8eVLSsDscYncP3P3Y9b3b4eXEfSE%2Bve7gTcchwtKnUw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 8f0f3ff6e9f14210-EWR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1622&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2805&recv_bytes=739&delivery_rate=1729857&cwnd=244&unsent_bytes=0&cid=04f00c7890024b17&ts=1251&x=0"
    2024-12-12 16:56:49 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 34
    Data Ascii: error code: 504


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    3192.168.2.2249164172.67.163.1844433380C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-12 16:56:53 UTC345OUTGET /NegyN8 HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: jktc.pro
    Connection: Keep-Alive
    2024-12-12 16:56:53 UTC962INHTTP/1.1 504 Gateway Time-out
    Date: Thu, 12 Dec 2024 16:56:53 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2FpkJBeDV7i8TNeLwho3NrIvZaQtV4wXm16I%2F9FdHQxseVckxK4qRoRGbZSQ5lTi4xcps5NtTidQO%2BMvDFPsRVpA9wVjFmps5UqtrA2Ox4VLeQINdTdZYc%2Blcw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 8f0f40163fc343e0-EWR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=643&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2804&recv_bytes=927&delivery_rate=1700640&cwnd=247&unsent_bytes=0&cid=68e7679578730b79&ts=748&x=0"
    2024-12-12 16:56:53 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 34
    Data Ascii: error code: 504


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:11:56:29
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13f4c0000
    File size:1'423'704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:11:57:28
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
    Imagebase:0x13f8f0000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:11:57:29
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
    Imagebase:0x13f8f0000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:10
    Start time:11:57:32
    Start date:12/12/2024
    Path:C:\Windows\System32\verclsid.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
    Imagebase:0xfffb0000
    File size:11'776 bytes
    MD5 hash:3796AE13F680D9239210513EDA590E86
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:11
    Start time:11:57:32
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
    Imagebase:0x13f8f0000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:11:57:33
    Start date:12/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
    Imagebase:0x13f8f0000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly