Windows Analysis Report
Shipping Document.docx.doc

Overview

General Information

Sample name:	Shipping Document.docx.doc
Analysis ID:	1520408
MD5:	0aa21e3880e6016cf48e0c0c38c5f753
SHA1:	0a36f40ff304c0450b8ae22a0444fa8e5e70dd18
SHA256:	0b8b68f159995d4c24fd93e6f3f8efc5ab6716e99219a248b44e92e15af393d6
Tags:	docdocxuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Microsoft Office launches external ms-search protocol handler (WebDAV)

Contains an external reference to another file

Office viewer loads remote template

Document misses a certain OLE stream usually present in this Microsoft Office document type

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49161 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /DVyB6x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: a8s.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /350/ec/greatthingstobegreatmagicthingstobegreataudiothingstogetmebackwithentirethignstobegreattounderstandhowmuchgreatthignstheyaredoingfor________niceprojecthingstobe.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.32.148Connection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79F8DF0A-CDD6-46CE-B8C0-3C3580ADD1C2}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /DVyB6x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: a8s.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /350/ec/greatthingstobegreatmagicthingstobegreataudiothingstogetmebackwithentirethignstobegreattounderstandhowmuchgreatthignstheyaredoingfor________niceprojecthingstobe.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.32.148Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: a8s.app

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.6Date: Fri, 27 Sep 2024 08:53:29 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: frame-ancestors https://*.autonom8.comStrict-Transport-Security: max-age=31536000; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.6Date: Fri, 27 Sep 2024 08:53:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: frame-ancestors https://*.autonom8.comStrict-Transport-Security: max-age=31536000; includeSubDomains; preload

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49161 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOC@1/17@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ipping Document.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9108.tmp

Jump to behavior

Source: Shipping Document.docx.doc	OLE indicator, Word Document stream: true
Source: Shipping Document.docx.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: Shipping Document.docx.doc	OLE document summary: title field not present or empty
Source: Shipping Document.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Shipping Document.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Shipping Document.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image4.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image3.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image4.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image3.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet2.xlsx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Shipping Document.docx.doc

Initial sample: OLE summary lastprinted = 2024-06-09 14:15:36

Source: Shipping Document.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\a8s.app@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://a8s.app/dvyb6x

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr

Stream path '_1788917966/Package' entropy: 7.9144418881 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.93.135.146	a8s.app	United States		15169	GOOGLEUS	false
104.168.32.148	unknown	United States		36352	AS-COLOCROSSINGUS	false

Contacted Domains

Name	IP	Active
a8s.app	34.93.135.146	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://a8s.app/DVyB6x	false		unknown
http://104.168.32.148/350/ec/greatthingstobegreatmagicthingstobegreataudiothingstogetmebackwithentirethignstobegreattounderstandhowmuchgreatthignstheyaredoingfor________niceprojecthingstobe.doc	false		unknown

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49161 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app
Source: global traffic	DNS query: name: a8s.app

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 34.93.135.146:443
Source: global traffic	TCP traffic: 34.93.135.146:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.168.32.148:80
Source: global traffic	TCP traffic: 104.168.32.148:80 -> 192.168.2.22:49167

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /DVyB6x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: a8s.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /350/ec/greatthingstobegreatmagicthingstobegreataudiothingstogetmebackwithentirethignstobegreattounderstandhowmuchgreatthignstheyaredoingfor________niceprojecthingstobe.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.32.148Connection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.32.148

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79F8DF0A-CDD6-46CE-B8C0-3C3580ADD1C2}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /DVyB6x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: a8s.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /350/ec/greatthingstobegreatmagicthingstobegreataudiothingstogetmebackwithentirethignstobegreattounderstandhowmuchgreatthignstheyaredoingfor________niceprojecthingstobe.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.32.148Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: a8s.app

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.6Date: Fri, 27 Sep 2024 08:53:29 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: frame-ancestors https://*.autonom8.comStrict-Transport-Security: max-age=31536000; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.6Date: Fri, 27 Sep 2024 08:53:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: frame-ancestors https://*.autonom8.comStrict-Transport-Security: max-age=31536000; includeSubDomains; preload

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 34.93.135.146:443 -> 192.168.2.22:49161 version: TLS 1.2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal56.evad.winDOC@1/17@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ipping Document.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9108.tmp

Jump to behavior

Source: Shipping Document.docx.doc	OLE indicator, Word Document stream: true
Source: Shipping Document.docx.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: Shipping Document.docx.doc	OLE document summary: title field not present or empty
Source: Shipping Document.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Shipping Document.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Shipping Document.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image4.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image3.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: Shipping Document.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image4.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image3.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/media/image2.emf
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet2.xlsx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Shipping Document.docx.doc

Initial sample: OLE summary lastprinted = 2024-06-09 14:15:36

Source: Shipping Document.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \Device\RdpDr\;:1\a8s.app@SSL\DavWWWRoot

Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://a8s.app/dvyb6x

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: ~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp.0.dr

Stream path '_1788917966/Package' entropy: 7.9144418881 (max. 8.0)

ID:	1520408
Product:	CloudBasic
Start time:	10:52:16
Start date:	27.09.2024
Sample:	Shipping Document.docx.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	0aa21e3880e6016cf48e0c0c38c5f753
SHA1:	0a36f40ff304c0450b8ae22a0444fa8e5e70dd18
SHA256:	0b8b68f159995d4c24fd93e6f3f8efc5ab6716e99219a248b44e92e15af393d6
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)	data	ED820DBA4CB1B47F858652B4627047F1	5F0528FE37D7B6BB83F17C9660B13721FE90E705	F2FA34E6E2DA47F7265DCEA9EC6AF4BA45E1FF3989B7F89D581C618D09222A97
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E4FA525.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	B26BA61E488C67CF430B2BD98AB68F35	7505989C3DC3C0687607B83EEBB87299A5C6E134	BCE0A286BCED2FBEFF65E8AC01C417689E1053DACBA3BA473A3350ACC3AFDE01
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A35D55BF.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3A8DA5B76D6B5312D055CAF09F894D6C	F045D2B3B4A87C48AD1FF3A79D15B536FA8DA863	601C0BD78909A01152A7A697AF54EA37B90D893DDAD21CDC55B5D7DE12ED156C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D67520E2.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3661FC2009882CD720EAD67DF45EFF03	BC65677C7DEC5624D95B25E65A2933A0C73541F6	C475A3541E4CA355AE7329D826A5F9635B5ECC7B7A3A8A5476E16C24E83F1D1C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB8E74B4.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	6406F6DAC2E95FB4970C4F9BF5A95EBF	6332B1626377DF9B712AD997AB5A8C6C440442C8	2A29434A2B22B9BEB23F1E1F4146F8F400CFDEF8C2799AC8D328B20D7A1B0D00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F999A813-F242-43C2-AE8B-2164A426237D}.tmp	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: 91974, Last Saved Time/Date: Thu Sep 26 02:49:26 2024, Security: 0	A234B4AD9D370F2B42D17097DE27CE42	00C3A173BFA7F254818DF706F1DF8288AC171AB6	9E466E9A99622DD43D999748774637C1BE19DE9B99DE513F097A09373FA5E3E4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4FE2B8A1-7A31-4D8B-80B3-3560F3E0FB88}.tmp	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"	182E9DDF85D79FA12C12281637013BBA	DCDA29CADA94D1E0A967D48157A55069BF4C2ED0	772C7559679E95A04CE9146EABB6B20E3EBBF51CDADDFDEDFA25969960E99750
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79F8DF0A-CDD6-46CE-B8C0-3C3580ADD1C2}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\{03B46F10-E3FF-45F5-AC3A-D648578C709C}	data	ED820DBA4CB1B47F858652B4627047F1	5F0528FE37D7B6BB83F17C9660B13721FE90E705	F2FA34E6E2DA47F7265DCEA9EC6AF4BA45E1FF3989B7F89D581C618D09222A97
C:\Users\user\AppData\Local\Temp\{F1AC1A83-1EE7-488F-83CF-B38AAF22B941}	data	C9093CF3A83C04C263DB029011258B43	738E387BFFA2CE74EA76F1143C032B8778C08A8B	502DC77468E512E4DF3D882F3E700674BB88F96FD9E9412B0FC1227B6D421778
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Shipping Document.docx.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:11 2023, mtime=Fri Aug 11 15:42:11 2023, atime=Fri Sep 27 07:53:13 2024, length=245915, window=hide	7A67857596D0F48B59DEE009413F6C8E	1752015B0DD3A7C61BCA4696E7425BC962C12F71	BB7320A0FBD633AD284F7B3D5F7932416F87AF815DD1EED03A9C761510F9ABBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	6CD2AEF29AE6DE1ED72F3BE650A315CA	53409F29C0C46DB68BC3C958D9723116729DDACC	03C1C89061CAE4674DD7FF4F4CE79331B76DDC97516E865FED98611356874C85
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\Desktop\Shipping Document.docx.doc (copy)	Microsoft Word 2007+	DEAE5AAA4319B5E1F3F036F982D7E118	A997D269F2F1B49798DD711E251FADCCF61BF4CB	DCFFA1B3AD6121AAAE524374A48909F88290B01AEE1A234BF47923D568B3B70B
C:\Users\user\Desktop\~$ipping Document.docx.doc	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\Desktop\~WRD0000.tmp	Microsoft Word 2007+	DEAE5AAA4319B5E1F3F036F982D7E118	A997D269F2F1B49798DD711E251FADCCF61BF4CB	DCFFA1B3AD6121AAAE524374A48909F88290B01AEE1A234BF47923D568B3B70B
C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
Shipping Document.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Shipping Document.docx.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Shipping Document.docx.doc