Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO Ref673947.docx.doc

Overview

General Information

Sample name:PO Ref673947.docx.doc
Analysis ID:1538501
MD5:a16ddd1a4f147371f7ee5866e62c42e4
SHA1:d75b092d8d70fcf3c2ab1664541e62cf588233b8
SHA256:16b9d6d20aad04572a72b4870886478b491d840d505066ebb85d0f6b5accd1ad
Tags:CVE-2017-0199docuser-lowmal3
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Contains an external reference to another file
Office viewer loads remote template
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 3216 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3216, Protocol: tcp, SourceIp: 87.120.84.38, SourceIsIpv6: false, SourcePort: 80
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3216, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3216, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PO Ref673947.docx.docAvira: detected
Source: PO Ref673947.docx.docReversingLabs: Detection: 58%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 87.120.84.38:80
Source: Joe Sandbox ViewIP Address: 87.120.84.38 87.120.84.38
Source: Joe Sandbox ViewASN Name: SHARCOM-ASBG SHARCOM-ASBG
Source: global trafficHTTP traffic detected: GET /txt/mnobizx.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{46851DD0-0074-4A23-8C8F-D9855D70FA2D}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /txt/mnobizx.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:24:04 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:24:04 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:24:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p|:O!d4^=+UU9\=\)|0
Source: ~WRF{89310996-9060-451D-8235-D2328ED63C79}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal72.evad.winDOC@1/12@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ Ref673947.docx.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA4D6.tmpJump to behavior
Source: PO Ref673947.docx.docOLE indicator, Word Document stream: true
Source: ~WRF{89310996-9060-451D-8235-D2328ED63C79}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{89310996-9060-451D-8235-D2328ED63C79}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{89310996-9060-451D-8235-D2328ED63C79}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: PO Ref673947.docx.docReversingLabs: Detection: 58%
Source: PO Ref673947.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\PO Ref673947.docx.doc
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PO Ref673947.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: PO Ref673947.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\87.120.84.38\DavWWWRootJump to behavior
Source: settings.xml.relsExtracted files from sample: http://87.120.84.38/txt/mnobizx.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution
Path InterceptionPath Interception1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local System2
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media12
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PO Ref673947.docx.doc58%ReversingLabsDocument-Office.Exploit.CVE-2017-0199
PO Ref673947.docx.doc100%AviraVBA/Subdoc.lqzhw
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameMaliciousAntivirus DetectionReputation
http://87.120.84.38/txt/mnobizx.doctrue
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    87.120.84.38
    unknownBulgaria
    51189SHARCOM-ASBGtrue
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1538501
    Start date and time:2024-10-21 13:22:58 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 39s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:PO Ref673947.docx.doc
    Detection:MAL
    Classification:mal72.evad.winDOC@1/12@0/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: PO Ref673947.docx.doc
    No simulations
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    87.120.84.38mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/mnobizx.com
    yugozxcvb.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/yugozxcv.exe
    Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/dtgLBRsUB45qnMm.exe
    quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/EGwnUqNrVeLFNPw.exe
    Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/RKbqmU7pcsLQXbJ.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/9qP0xWlHdvhkbFG.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/Rnuwcr38IRNoHzK.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/iA8CGls28DqWbrP.exe
    Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/iA8CGls28DqWbrP.exe
    PAYMENTX2.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/Wiye6UdJ0SnCj7z.exe
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    SHARCOM-ASBGmnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    yugozxcvb.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    PAYMENTX2.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    No context
    No context
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025567692180468678
    Encrypted:false
    SSDEEP:6:I3DPczOB2wVvxggLRlEEMN/4nflQbtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPuOB2wZOKnflQbTvYg3J/
    MD5:4A9D657005C032430BED10ECD957FFAA
    SHA1:03CC12A0E883B3C27FA49D80888925A95336CEDA
    SHA-256:B4669C4650CD6545969099F884F34FE5033A80865D7FDAEA663A35C7F8676A36
    SHA-512:24EE95895B2C614F9C25C00F14057A99245ADDCAC061A8EC7CC28F6E0DDFF69CDEE775B92C78B531924B92DA5EA752B86516662E5399DD29977503F508133150
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zw...-..D.#.H0/.$S,...X.F...Fa.q..............................k.O..K.R...i+...........1d..K.F....v.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):2560
    Entropy (8bit):1.423788065612703
    Encrypted:false
    SSDEEP:12:rl3lTpFQhXIs1clos1cloCI44CICICb77:rnWZ1clp1cl
    MD5:B38607F22FD8783649E6829F375C56C8
    SHA1:DD0A3AE811F5CC889E6600C5D31C06DB1FC76714
    SHA-256:6DB9E9445F8FE8458A9E54811F911816CB0FC261C2DF4CF12ED0590FB44F6FE8
    SHA-512:34386843D2CD008B967ECDE19AA6E87CB8ACD052B015FEFB2612EE35CD843CCC75A998CE81DA22E859AF00D7BE317483C97379FF36B02600B7601AC5F3174208
    Malicious:false
    Reputation:low
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1879552
    Entropy (8bit):3.6504681095961264
    Encrypted:false
    SSDEEP:6144:6emBde8emQrde9emBdehemKembemBdeUemBdeQemBdehemHemBde2emBdeuemBd+:00s9
    MD5:4EED3A8E4CF59A1998DDD1077FC1207D
    SHA1:B06F180518710946443E3EBDBF3B63B1BF78EC25
    SHA-256:E13E4A9273A8659C12EBAB334E1FC45563C2FD2F0CE6CD3210B684AFA88B5188
    SHA-512:414174170F62AB12E56FBCE6E213B7FB3FFC150F71119D8D49924FE6C02B4B2A3BD0419A4585148A704F4C910F63C524F91FF543396B1C160217B5397F166A04
    Malicious:false
    Reputation:low
    Preview:..d.M.B.C.....B.E.S.O.N.D.E.R.H.E.D.E. .B.E.S.O.N.D.E.R.H.E.D.E. .V.I.R. .H.I.E.R.D.I.E. .M.A.A.N.D.....D.R.A.E.N.D.E. .N.R... .H.O.E.V.....3.0.2.0.8. .N.B.C. .D.R.A.A.G. .3.0. .S.T.K.....3.0.3.0.8. .N.B.C. .D.R.A.A.G. .6. .S.T.K.....3.2.0.0.7.X. .N.B.C. .D.R.A.A.G. .7.4. .S.T.K.....3.3.0.0.5. .N.B.C. .w.a.t. .5. .s.t.e.l.l.e. .d.r.a.....5.2.7.9.9. ./. .8.0.0.U. .(.2.5.8.7.7./.2.1.). .N.B.C. .w.a.t. .3.0. .P.C.S. .d.r.a.....6.0.0.1. .N.B.C. .w.a.t. .1.0.0. .s.t.u.k.s. .d.r.a.....6.0.0.4. .N.B.C. .w.a.t. ...................f...h...................................R...T..................................................................................................................................................................................................................................................................................................<...$..$.If........!v..h.#v..9.:V....l...,..t.......9..6.,.....5.....9.9...../.............B.....a..].p............yt.K......d........gd.
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Reputation:high, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.3542654405225152
    Encrypted:false
    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbs:IiiiiiiiiifdLloZQc8++lsJe1Mzf
    MD5:92E0CC75019E40740380F91D25EC1293
    SHA1:AE3CD170B208D34C0F7C15849E4ECFAA1012CE3F
    SHA-256:D6CAB1508C3D9ACB67BAC0F3B22EE420AA9499364B31BE02D0DEE8020E035488
    SHA-512:12A50062BD6CA68A7A1A2E1C2021D74F98D0E6D7301F0E44618C005F304BC040085C1B517938837766F80EB8B25B72E2B37338EA4650F608177CBCAA70DCA105
    Malicious:false
    Reputation:low
    Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025607713886019484
    Encrypted:false
    SSDEEP:6:I3DPcFkiSQxEHvxggLRrN5Z4lpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPzxQxEPvF4lHvYg3J/
    MD5:4341D8C703CDCA4D09BF0B81D5979C1F
    SHA1:C899ED8732121B4A3BD208F5D9C626592EF2FDAF
    SHA-256:53E8741D86C2177C25EEAD09B226A92A2C3D452FC61CD3B34B2A69AD765AB100
    SHA-512:97DD23EEDBE32B8CC54FEFD0E98B994397C0DAAE4D81A24A1D6635F3FF963B6F5C58AA087C85ACF42BFE744CF746D1580DEBAC76120A49CE803E17D941E3D2BB
    Malicious:false
    Reputation:low
    Preview:......M.eFy...z..x4`P.O.......S,...X.F...Fa.q............................w.so.C.|8..%(..........Z..y.O.ek..I.Q.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025567692180468678
    Encrypted:false
    SSDEEP:6:I3DPczOB2wVvxggLRlEEMN/4nflQbtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPuOB2wZOKnflQbTvYg3J/
    MD5:4A9D657005C032430BED10ECD957FFAA
    SHA1:03CC12A0E883B3C27FA49D80888925A95336CEDA
    SHA-256:B4669C4650CD6545969099F884F34FE5033A80865D7FDAEA663A35C7F8676A36
    SHA-512:24EE95895B2C614F9C25C00F14057A99245ADDCAC061A8EC7CC28F6E0DDFF69CDEE775B92C78B531924B92DA5EA752B86516662E5399DD29977503F508133150
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zw...-..D.#.H0/.$S,...X.F...Fa.q..............................k.O..K.R...i+...........1d..K.F....v.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Mon Oct 21 10:23:58 2024, length=327342, window=hide
    Category:dropped
    Size (bytes):1049
    Entropy (8bit):4.554952808600964
    Encrypted:false
    SSDEEP:12:8BDQA0gXg/XAlCPCHaXhBQNB/qPX+W7IhNdV4icvb4832QDl4lNdbDtZ3YilMMEO:8BVk/XTxKN44Vre7hgbDv3qB57u
    MD5:6E35A96EB7CBB15434B56B93783397FE
    SHA1:FDCB7A0B45DF6AC9A96326499392FDD11041C33E
    SHA-256:C580A556107C96DAF992E5675DA7D738CC1C7BB5F6A554CE9CA59E76075043E0
    SHA-512:59A02249D86CF918DC466DD2B1C86586FFDB6806280B04AFE0F1DF7E94B886C9B9A8E733303B30307456442D43659280618B8890789AC96208A5FE9ACC9A83C0
    Malicious:false
    Reputation:low
    Preview:L..................F.... ....I..r....I..r...Z5.#...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....UY.Z..user.8......QK.XUY.Z*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.....UY.[ .POREF6~1.DOC..X.......WE..WE.*.........................P.O. .R.e.f.6.7.3.9.4.7...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\927537\Users.user\Desktop\PO Ref673947.docx.doc.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O. .R.e.f.6.7.3.9.4.7...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......927537..........D_....3N...W...9..W
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Generic INItialization configuration [folders]
    Category:dropped
    Size (bytes):68
    Entropy (8bit):4.701217804390187
    Encrypted:false
    SSDEEP:3:M1gNmTlXAKLFSm4YNmTlXAKLFSv:MiNmTqQFVNmTqQFc
    MD5:0F79A0BD7065360B402A84DB0FF1B44C
    SHA1:75A0EFA52B2DB75F089881E9BA3412725CC44058
    SHA-256:624B92AFD24E91751C1AE62FA8DB593AA38B7DBBAD5576BF3D5DB232E6BB0232
    SHA-512:6922BA6266A46DB6164B1FC17CA1ECDE3BA8A010556C9151448A8FED487903DDF0A5B68B42E4D120F4E454FFB6C3D360BCBAFF65D6E60B399766287785DFB36B
    Malicious:false
    Preview:[doc]..PO Ref673947.docx.LNK=0..[folders]..PO Ref673947.docx.LNK=0..
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
    MD5:89AFCB26CA4D4A770472A95DF4A52BA8
    SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
    SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
    SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:Qn:Qn
    MD5:F3B25701FE362EC84616A93A45CE9998
    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
    Malicious:false
    Preview:..
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
    MD5:89AFCB26CA4D4A770472A95DF4A52BA8
    SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
    SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
    SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    File type:Microsoft Word 2007+
    Entropy (8bit):7.993424144935195
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 58.23%
    • Word Microsoft Office Open XML Format document (27504/1) 32.35%
    • ZIP compressed archive (8000/1) 9.41%
    File name:PO Ref673947.docx.doc
    File size:327'342 bytes
    MD5:a16ddd1a4f147371f7ee5866e62c42e4
    SHA1:d75b092d8d70fcf3c2ab1664541e62cf588233b8
    SHA256:16b9d6d20aad04572a72b4870886478b491d840d505066ebb85d0f6b5accd1ad
    SHA512:3a3bbc37138ae61b2cf8fcf2bf41eb9ba09d06c1c4c035f62af9e9196b3d495cac50f042eeec4033efa9c10a21a1a36b2bf26452309ee553bb911e411a67add8
    SSDEEP:6144:707JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mL/:gd/qYYFNHrz90
    TLSH:4C6412060C9780CC83097859F1A4151E2B6F9C339DA3C875ABF8D6BB4A659CCD7B7B48
    File Content Preview:PK..........RY...7U... .......[Content_Types].xmlUT......g...g...g...n.0.E...............e.T.....U..<...;!.U.%U.M.d..sgby0ZW.[BB.|!.yOd.u0....>y....Iy.\.P.........M..X...s.x/%.9T....s...R..i&...j......:x.O].=.p...Z8.....I........U....Z...........r..s....B
    Icon Hash:2764a3aaaeb7bdbf
    Document Type:OpenXML
    Number of OLE Files:1
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False
    TimestampSource PortDest PortSource IPDest IP
    Oct 21, 2024 13:24:02.811153889 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:02.816637039 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:24:02.816716909 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:02.816844940 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:02.822222948 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:24:03.761234999 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:24:03.761351109 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:04.209114075 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:04.214427948 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:24:04.214545012 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:04.214695930 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:04.219969988 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:24:05.138935089 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:24:05.347589970 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:24:05.347690105 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:08.343347073 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:08.348748922 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:08.348817110 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:08.348932028 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:08.354192972 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:09.290409088 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:09.292843103 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:09.298432112 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:09.590085030 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:09.797688007 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:09.905595064 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:09.911446095 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:10.202090979 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:10.239659071 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:10.244905949 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:10.534327030 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:10.783438921 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:10.783504009 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:10.897006989 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:10.902436972 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.192006111 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.192414999 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:11.197758913 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.493390083 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.528045893 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:11.533601999 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.701061010 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:24:11.829603910 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:24:11.829854012 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:25:10.313740015 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:25:10.313824892 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:25:10.313867092 CEST4916280192.168.2.2287.120.84.38
    Oct 21, 2024 13:25:10.319283962 CEST804916287.120.84.38192.168.2.22
    Oct 21, 2024 13:25:16.664789915 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:25:16.664889097 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:25:16.665971041 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:25:16.671331882 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:25:17.004959106 CEST804916187.120.84.38192.168.2.22
    Oct 21, 2024 13:25:17.005147934 CEST4916180192.168.2.2287.120.84.38
    Oct 21, 2024 13:26:00.647236109 CEST4916180192.168.2.2287.120.84.38
    • 87.120.84.38
    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.224916187.120.84.38803216C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:24:02.816844940 CEST138OUTOPTIONS /txt/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: 87.120.84.38
    Content-Length: 0
    Connection: Keep-Alive
    Oct 21, 2024 13:24:03.761234999 CEST187INHTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:03 GMT
    Content-Type: httpd/unix-directory
    Content-Length: 0
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Oct 21, 2024 13:24:11.528045893 CEST358OUTGET /txt/mnobizx.doc HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 87.120.84.38
    Connection: Keep-Alive
    Oct 21, 2024 13:24:11.829603910 CEST447INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:11 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
    Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a
    Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p|:O!d4^=+UU9\=\)|0


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.224916287.120.84.38803216C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:24:04.214695930 CEST128OUTHEAD /txt/mnobizx.doc HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: 87.120.84.38
    Oct 21, 2024 13:24:05.138935089 CEST154INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:04 GMT
    Content-Type: text/html; charset=iso-8859-1
    Connection: keep-alive
    Oct 21, 2024 13:24:05.347589970 CEST154INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:04 GMT
    Content-Type: text/html; charset=iso-8859-1
    Connection: keep-alive


    Session IDSource IPSource PortDestination IPDestination Port
    2192.168.2.224916387.120.84.3880
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:24:08.348932028 CEST132OUTOPTIONS /txt HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: 87.120.84.38
    Oct 21, 2024 13:24:09.290409088 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:09 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:24:09.292843103 CEST133OUTOPTIONS /txt/ HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: 87.120.84.38
    Oct 21, 2024 13:24:09.590085030 CEST187INHTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:09 GMT
    Content-Type: httpd/unix-directory
    Content-Length: 0
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Oct 21, 2024 13:24:09.905595064 CEST162OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52
    Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:24:10.202090979 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:10 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:24:10.239659071 CEST163OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69
    Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:24:10.534327030 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:10 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:24:10.783438921 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:10 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:24:10.897006989 CEST162OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52
    Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:24:11.192006111 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:11 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:24:11.192414999 CEST163OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69
    Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:24:11.493390083 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:24:11 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>


    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:07:23:58
    Start date:21/10/2024
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13fa00000
    File size:1'423'704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    No disassembly