File name:

Targeted Advance Persistent Threat (APT) against government officers.docx

Full analysis: https://app.any.run/tasks/c5283617-0e1b-43c5-813e-d18d79f8a37d
Verdict: Malicious activity
Analysis date: August 10, 2024, 12:01:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
ta399
apt
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

CCEC3E4857CBB197AC79B0F3B01F5189

SHA1:

92B54852C1C47969B856FECE5E068BEFF1AC18FB

SHA256:

FEC66A9AABF379D150AD51926B318F9C03EDBE8F7E655193C036DB6C0BA9A6B6

SSDEEP:

12288:qywkC4TDjqMOMnmsBpIjFGpa/QLKz2QptC6e19xzE6v:qywkC4TDjqMOMnmsBpIjFGpa/QLKCQpM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 6272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:08:07 07:36:50
ZipCRC: 0xbd826b99
ZipCompressedSize: 247
ZipUncompressedSize: 737
ZipFileName: _rels/.rels

XML

Template: Normal
TotalEditTime: -
Application: Microsoft Office Word
DocSecurity: None
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
CreateDate: 2024:08:07 06:06:25Z
ModifyDate: 2024:08:07 06:06:25Z
Created: 2024:07:31 00:00:00Z
LastSaved: 2024:07:31 00:00:00Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
15
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe fltldr.exe no specs svchost.exe fltldr.exe no specs fltldr.exe no specs ai.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs fltldr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2044"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "784A9764-4172-40F9-84A0-20AAC04F345D" "8CB5D527-9812-44EB-8D63-47CA7A06EC25" "6272"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
2132"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2852"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2876"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
4644"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
6272"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Targeted Advance Persistent Threat (APT) against government officers.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6760"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
6804"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
6836"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Filter Loader
Exit code:
3221225506
Version:
16.0.16026.20000
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
17 968
Read events
17 493
Write events
436
Delete events
39

Modification events

(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6272
Operation:writeName:0
Value:
0B0E100558DDB14AD0C44B9C1CC4A8A94CB22D230046B6BDD38CD0E3BAED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5118031D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6272) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
19
Suspicious files
130
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C6C1D55B-54F1-4DF2-BEB1-5513551B4896xml
MD5:F0966A34937C75EC956390050B4AEB26
SHA256:E102C74FDA5FF3C8E110E88772371C2AC9536376872467DD3BF96585E17CA29F
6272WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:4066112A47B25BF1298D67178C5439E9
SHA256:5E954A1C7CC4A1354515321402280AE19AC6E91E9038CC81F313CCF6D5F0011A
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6272WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\006A91A4299A17F6A22154B15FFDDADCder
MD5:C8A24DE7C17226D59CDFC7E68B399CCE
SHA256:5B5D802A2C10FBAFE341CF2E890D7ED5D94C9A00F76644B8FA262BAF4AA40FE9
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmpbinary
MD5:B1D236D6A277A202A39CC6D9A5410D3A
SHA256:2EB8611B61147D2FF47A0B8FD4A772C3BCA988454A192412CBE742A1741DBCBD
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\07fc2a8c43a1d1f16572d21e959a4847e306edae.tempbinary
MD5:32076BBA4166832CEC3A140F18D94E67
SHA256:996BD8C6FE5CEF5CBFA8BFA067CF8EAC24BE211BCB7356D13E5222EA4AFEE8BF
6272WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\006A91A4299A17F6A22154B15FFDDADCbinary
MD5:C39237A8C35EBEB306B05B287550A834
SHA256:7342592D636F67C6569D13C4A2C7CFDF0783FA7455E3E2D130984E793DCB16AE
6272WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:3DFCA46E00FFA4795C72A41375F159D3
SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\data.jsonbinary
MD5:32076BBA4166832CEC3A140F18D94E67
SHA256:996BD8C6FE5CEF5CBFA8BFA067CF8EAC24BE211BCB7356D13E5222EA4AFEE8BF
6272WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8A914538.jpgtext
MD5:A471D39C02EE8428702B468C843C62E3
SHA256:0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
104
DNS requests
33
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6272
WINWORD.EXE
GET
200
184.24.77.46:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgSmAFDKrYDYdL529yLNYfNM%2Bg%3D%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6172
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6272
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6272
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
6272
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
6272
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2968
svchost.exe
GET
304
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
6272
WINWORD.EXE
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6272
WINWORD.EXE
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6272
WINWORD.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6272
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6272
WINWORD.EXE
23.48.23.30:443
omex.cdn.office.net
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 23.48.23.30
  • 23.48.23.66
  • 23.48.23.45
  • 23.48.23.42
  • 23.48.23.6
  • 23.48.23.11
  • 23.48.23.62
  • 23.48.23.63
whitelisted
mofa-gov-pk.dowmload.info
  • 213.183.55.169
malicious
r10.o.lencr.org
  • 184.24.77.46
  • 184.24.77.83
  • 184.24.77.47
  • 184.24.77.45
whitelisted
www.bing.com
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.181
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.179
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fs.microsoft.com
  • 184.28.90.27
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to TA399 SideWinder Domain (mofa-gov-pk .dowmload .info)
6272
WINWORD.EXE
A Network Trojan was detected
ET MALWARE Observed TA399/SideWinder Domain (mofa-gov-pk .dowmload .info in TLS SNI)
6272
WINWORD.EXE
A Network Trojan was detected
ET MALWARE Observed TA399/SideWinder Domain (mofa-gov-pk .dowmload .info in TLS SNI)
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Targeted Advance Persistent Threat (APT) against government officers.docx