Windows
Analysis Report
5YMh6S8QVr
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 1300 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
EXPL_CVE_2021_40444_Document_Rels_XML | Detects indicators found in weaponized documents that exploit CVE-2021-40444 | Jeremy Brown / @alteredbytes |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
Click to see the 3 entries |
Timestamp: | 194.34.232.147192.168.2.2280491762036726 06/16/22-13:30:49.826105 |
SID: | 2036726 |
Source Port: | 80 |
Destination Port: | 49176 |
Protocol: | TCP |
Classtype: | Attempted User Privilege Gain |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Extracted files from sample: |
Source: | File opened: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: | ||
Source: | Metadefender: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Non-Application Layer Protocol | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 12 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | Virustotal | Browse | ||
31% | Metadefender | Browse | ||
100% | Avira | EXP/CVE-2021-40444.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.34.232.147 | unknown | Germany | 35913 | DEDIPATH-LLCUS | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 646982 |
Start date and time: 16/06/202213:29:37 | 2022-06-16 13:29:37 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 5YMh6S8QVr (renamed file extension from none to docx) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal84.expl.evad.winDOCX@1/23@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28785228105969896 |
Encrypted: | false |
SSDEEP: | 96:K/pCLmxDa7gBmua0dZxeO3njU4AAeIA4/e2R6iK5mT8e2R6iK5mTiH:3Scu11nXIQkK |
MD5: | 5DA1085932C7628CBDC0FAAC010F061E |
SHA1: | 48447DDBF2D6C88D564F90DF5F1645E7E0BF6AEB |
SHA-256: | FB957A83FBEA9DE458AC520115581A6BC9A6C6EACC12ABE91C8ACBD40EDBD094 |
SHA-512: | 3868C07E3D68827A0984B9A2AB1221008CDAA22199629F8D9A429B1899A0D29190B2F7E5AF4B075B04D0C756BCF68EF34D2CD6ED5758AAE5D1AE2F14BD293FA8 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8B3C239C-9F59-411F-BE0D-9B570716399E}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6714377365243377 |
Encrypted: | false |
SSDEEP: | 768:p+IdEN41lfMRDbKZUsOg7Af3PXldlNV3/vjmldlNw3/vjNldlNq3/vjUldlNq3/v:pwDka8Uj |
MD5: | 11C1C529D0C834AB8F9EB96863044E30 |
SHA1: | 681A6029B7E617250ABCBBBED2EC142935C18F46 |
SHA-256: | B1A230959B71B4B8776FD6260667DAA3188D6CF25FA13ECB214D31A6BAF32E4D |
SHA-512: | 4CB930A77517444AB00A8F074F768665BABBD6AE49F5B0424386AC47C0A5D8DBD5DB376308FE8C380136B5AD808124241AEEACBCB4EF8E75F176B64D4BD97DB6 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9626738605132825 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlznejKGSLO4glUWsPWzFzZ276:yPblzneuGSyNbHd22 |
MD5: | 1F085DE74D358FF5A8A2BD5880F91C3B |
SHA1: | EEE66A4B685E37D1A1EC88F957160D93BCE4F5DB |
SHA-256: | 9C00AD097BBB299843459FC4D506153B93731C526FBFB889381406795CAF1075 |
SHA-512: | 16D6647D54B9ED8F2E29BF52EB0F090ABB0D3CAA12F6D3C3AE52C414DD3E35F5CEFDE82FE393B1527D87AA5D07216F78564A40454A41F7A4B67C3639CCB79EA1 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28834336005255745 |
Encrypted: | false |
SSDEEP: | 48:I33xdwXRBjupl7i/pSjptWDps7SP/Ot1nrOEF+nEF+nKH:K3xdKLWind/Ot1rxUnEUnKH |
MD5: | 08A9D3299E3EFE5FA48341CB0EAA4DE8 |
SHA1: | C89ACE8E155558EEBD47B5D221E331EA6C33B78D |
SHA-256: | 53CD44BB963E066DD644E9680906C9C807AD59C24A7F942A9951E9E1CBE69228 |
SHA-512: | 04B142E7A289EB93E97624105B307046D12A9CD43AE2656676A0B9424D7921B4FF5EC02268D276B9129A21398D376D085E077542EBDFD6D56F3EEF1A976C28FB |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{72C85F14-C2D2-4B94-9EC6-F5828455F792}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22217115681084815 |
Encrypted: | false |
SSDEEP: | 24:I3mUtLwnM0B34Qyy79s3PB2xiNqrhcaFUZ8+74I7pSe9LS7k77KrYz57O7N4:I3LUrBjyt2xQMM2+8I719LS46ktae |
MD5: | 5E8A60A1A25571F52092360EFF4D8D65 |
SHA1: | CE28B9992B13EA3DA9935E3262950E97614B5E11 |
SHA-256: | 8C10C3D391E414F91508CC063B0A0D4383D438A532EA812B0D10B2F45CC462CF |
SHA-512: | 1391DAA2F9E6984420BE39527FCACAA51EAA41ED54089D9A69805EC5E09F15F0D22C49301495711953A2FA8222E013682368EF96E047FF1D1F1CBA9DA1D35214 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.895046615385681 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlz6sWKRhlrNW0RBgqWjit2lQ5Yc3IFl276:yPblzrNTQHlQ/Q22 |
MD5: | 4527D001AD62B86AAF56B48D884E17FD |
SHA1: | 2942632907C67FC9E50CAD913EDEAF8FC6AF6E80 |
SHA-256: | 4CBC90753C161B4936757869FF7AAF66936381104D20EAD8A6A2E568C96686A8 |
SHA-512: | 89F0BE467ED8FD78B4628EE418A6151D2EC3B6C82A38CB12277BA3226484F82AD9C46E3D511099B78970635CDF9EE02CFDFABEC08149364F1D269C578B79C396 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\side[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 6774 |
Entropy (8bit): | 0.7823015818904822 |
Encrypted: | false |
SSDEEP: | 6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb |
MD5: | EA3FE2CB4B8E3C7AFA0C773A28742AA8 |
SHA1: | FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D |
SHA-256: | 8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101 |
SHA-512: | 73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710 |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
IE Cache URL: | http://194.34.232.147/side.html |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\side[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6774 |
Entropy (8bit): | 0.7823015818904822 |
Encrypted: | false |
SSDEEP: | 6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb |
MD5: | EA3FE2CB4B8E3C7AFA0C773A28742AA8 |
SHA1: | FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D |
SHA-256: | 8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101 |
SHA-512: | 73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34450540.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6774 |
Entropy (8bit): | 0.7823015818904822 |
Encrypted: | false |
SSDEEP: | 6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb |
MD5: | EA3FE2CB4B8E3C7AFA0C773A28742AA8 |
SHA1: | FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D |
SHA-256: | 8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101 |
SHA-512: | 73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710 |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47FC82E2.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6774 |
Entropy (8bit): | 0.7823015818904822 |
Encrypted: | false |
SSDEEP: | 6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb |
MD5: | EA3FE2CB4B8E3C7AFA0C773A28742AA8 |
SHA1: | FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D |
SHA-256: | 8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101 |
SHA-512: | 73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710 |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\792606B4.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 52 |
Entropy (8bit): | 1.8614575055208968 |
Encrypted: | false |
SSDEEP: | 3:Vm1olpUktK0Xg/lrll0:MW6kK0XgtI |
MD5: | 07FFEFF17A8A1A1209AB3C2690D569D4 |
SHA1: | 37CB513FABDDCDBBAA2E7296B31A4BC9832E1B01 |
SHA-256: | 57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4 |
SHA-512: | 743591E7BFE9936EEE057C9D1769595D48C90BA28057D8EBD0F7299B8FCACD7B8FA50AF30BD0B8B6E09F77ADE16B47D6F0ABB079D60E975443A57C514099AD86 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAD8C441.jpeg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9805 |
Entropy (8bit): | 7.943364058434094 |
Encrypted: | false |
SSDEEP: | 192:eWSC3lgsFHUzdeJQnmRLMdno3Y1CQdlCQ3rHlX0wbaanHUwiCIviXNNLko/H2K:eujKzdXxt/CeCiFSwxNNAwWK |
MD5: | 98B5273E3C1D3B27777A1A17E51478A5 |
SHA1: | AA6854BA61CEADCCC58F3DC01680D94205B83671 |
SHA-256: | 3953378734D19ABC3AAC6F760C713A10300517C40DD605C7D7518995914205AA |
SHA-512: | 4684921304A199470F7E11F85F5200EB670077D692D46CCA6DE0E4ADD3D32A90B4756EFAB612B5C22552239FA13031B44A06E306F3F97A80933348270AF8F16F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C330AFBF.wmf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 74 |
Entropy (8bit): | 2.117514616373907 |
Encrypted: | false |
SSDEEP: | 3:t/Wlsl81olpUktK0Xg/lrll0:t/d8W6kK0XgtI |
MD5: | C4E6B3035AC3828D375E5479E8485D0D |
SHA1: | 624B2E68B669293CE5EF5EDA4EFCFDE97FFEA84A |
SHA-256: | 591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7 |
SHA-512: | 1864A7CBF1C5205F0D1CAC9DA5CA4E8F103B9C045913A98B8A9DA62B3850AB842913235BF38DA6C7D78ECE985D35EBC8F6C15471B5C2FE23A6A4BBF66A03E4DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F962F304-2A52-4E33-A96C-51EE6F4187D8}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6656 |
Entropy (8bit): | 2.3934301216447316 |
Encrypted: | false |
SSDEEP: | 24:rsMnGO5p0LyAiiUzvoEoii9K/qX6HyAii9zyAi:r/DiUliI8i |
MD5: | 09143DB5A71D2128B003B2AE1D67725E |
SHA1: | EF415275963EC769FE28F527F4BFF3786E382074 |
SHA-256: | D1BA339319AB2C08E94E50C2E4564C2BB6B62F4050A4ED9907C26D62478A2E0E |
SHA-512: | 34B0471DE7D8BB32013F507D5664C6CC4EB539EB98F38DA06DDDBF3CD59E565949E57533D06F1FA872878ECAD08F7C54CEF94EE76B4CE039BAAE43C0186BF713 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77360496-4BBE-44C6-A84F-CB369D560D67}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4532 |
Entropy (8bit): | 3.5486738810837544 |
Encrypted: | false |
SSDEEP: | 96:GI0z2qRb55efGIdspaWLtiT02kDmECITUgm6zu8HGg:Z0HR1HxmECGpZmg |
MD5: | D50E7225C855D7301F2C33659817042D |
SHA1: | 9888F7AF06EEB7CF4D6EC5D07B2B3F07E1353652 |
SHA-256: | 9CF291E21A85224F9A7E9A43C82F864A5EFE6F51DD9124553A2CBEDDC7F6D0A4 |
SHA-512: | 8AEF9931A68B1725626A9F568C79EC07DA126B52305560D526487B22A696539B4E78847F25084B53FBBD52ACC0A7F622CA02B763F312F9D963E597C400C4ED4A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F66410A8-679A-411F-AE8D-493633C1B9C5}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025675392455075247 |
Encrypted: | false |
SSDEEP: | 6:I3DPcFw+aH9RvxggLRFoCGNwvqURXv//4tfnRujlw//+GtluJ/eRuj:I3DPUw+aHbeDwXvYg3J/ |
MD5: | FFD46519FA0CC2BAB75D9ADD678461E2 |
SHA1: | 3D4CF009840FAA9792B7DB0F8055C83A7A004BC8 |
SHA-256: | EEE52A2320047E0C74D606A5B0E9205CBE6399AF09A94F81C5E4EC7BE277A70C |
SHA-512: | D9760FD7B3ACFBE5437F06144B45EEC6C1DEBB2C404CA7E7931E60DC88EBA98009275A60A8B68B4257973F4B1F865640A0718A081ACFC79813C1FF0D7ECDCC14 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025528638812955824 |
Encrypted: | false |
SSDEEP: | 6:I3DPcbj6ixbvxggLR7txRglj2whtRXv//4tfnRujlw//+GtluJ/eRuj:I3DP8JxbX1whTvYg3J/ |
MD5: | 6148415D8ACB2269EEB5B4047FD77CD2 |
SHA1: | 9D0C2C09EAB11413904368E10610091452C674AD |
SHA-256: | 5248168284CDEFA8DF7694A1D40F3272A8DF1037097D66E99E8153866129597E |
SHA-512: | 7D123E42AB6B4A8497D20D37E58BFA17FA61C8573AAD1CCB47B0446EE1773FA2F260FDFD93A187AF585833605767E427C77F3B3B028FD013995ACD1A48315B26 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.569362549090478 |
Encrypted: | false |
SSDEEP: | 12:8aJhz080gXg/XAlCPCHaXNBQtB/LJUPlxX+WTd/4hGQzjuicvbPx4OGQzNDtZ3Yn:8+rk/XT9SkXP/4hG+NepGkDv3qqY7h |
MD5: | DDB9BAB4CC337F3A2C4D5C17BD3F56A4 |
SHA1: | 1A72699906E116884A57D4BB518EE2EB0E3889ED |
SHA-256: | FD5F3A81DBB885BBAF9069A978B461DDEE5B949D5464B1A3A706449D132C1045 |
SHA-512: | A7578881DD094DB30510062187CA1B8EC95697FFD5493AAB1849164801B062C30638617EE39B2B1B176007126257A6B21C41C3408A4E6D377FDD08D0FBF8F4E7 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 4.891962939381966 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlg6kVomxWYQT6kVov:bCbjyTjy |
MD5: | F580E428B27FE8CDD2DFDF11416A59D1 |
SHA1: | 1FA19247725D97E2F4C8E6BE9326A53486547D8C |
SHA-256: | C4378270A2A9AF816B3CD1F288530B2ED493637B539EA32BC032D1264885F961 |
SHA-512: | 93ECF927FF03A64F49F7382D6793CBE97F6CFBC4189B1D62FF785B748ACAC8D1E85A37403F6AE1C4FFDBEC340A709EB06E02C92533EEB88EDDC15B4F8211AC88 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:Qn:Qn |
MD5: | F3B25701FE362EC84616A93A45CE9998 |
SHA1: | D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB |
SHA-256: | B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
SHA-512: | 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.4797606462020303 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyAI/ugXImW4eedln:vdsCkWtpIGgXvdl |
MD5: | 1674A1C7C99CD9FAADA789F5E2AEB335 |
SHA1: | 26D9E81D5ED584A899A94D5EA8945A5AE3403F85 |
SHA-256: | BB5F0D32E0E1C8B6865FCE4AE1FC50E34CA954B89E771364A6BE6627F7C726B6 |
SHA-512: | B2225E8F93F06FFE32B4FDF987D5134BB06F1B0874509E1CC973FD4D30B0F1341CB1AE72FBE9C282A65794A130E2D9C8D4939B789492BC1BCC96394C5F03E02C |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.851752527928244 |
TrID: |
|
File name: | 5YMh6S8QVr.docx |
File size: | 24152 |
MD5: | 5a0d45f97ee4b248360b6b2e5eb4706a |
SHA1: | e2a00e3489ede1ac935c78b99f92fdce0e74ed69 |
SHA256: | 57b27abbe3d3c0c20cdc1b408ff6fa562ba5f04fa555cb3adb9dcb03e273b664 |
SHA512: | 049025898f837d37306201a903ebb8507bcc12f9d7f4625436f482964c8741c592daae5a05ac549169426cbd030473f540f6018ee8860e0adb120864141fce9d |
SSDEEP: | 384:C00MWEg9fPCxoNHfn5yAehqbhtgyhdCxi556BhVyH111/eehvcLO6UD6Vz:0MWE0nNv5yHcttg6dwc5YhVueu/Yh |
TLSH: | E5B2BFF4C129646DC60F79B0D13B1BCAF3DC469E73102D893A099386762BB836B71E16 |
File Content Preview: | PK.........b!S................docProps/UT...6p/a6p/aux.............PK..........!.+L..............docProps/app.xmlUT...........ux..............R.N.0..#..Q......f.......6..r&..c[.....x.!.7|.y.~~.l.z.m....w..^Ue.N...~S>4.N....r......#.W........A*X....R..B..p |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
194.34.232.147192.168.2.2280491762036726 06/16/22-13:30:49.826105 | TCP | 2036726 | ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 16, 2022 13:30:34.256061077 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:34.278186083 CEST | 80 | 49173 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:34.278311014 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:34.278503895 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:34.300163984 CEST | 80 | 49173 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:34.300235033 CEST | 80 | 49173 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:34.300353050 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:39.305653095 CEST | 80 | 49173 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:39.305811882 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:40.048623085 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:40.070714951 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:40.070858955 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:40.071022034 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:40.092817068 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:40.092865944 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:40.304702044 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:40.319480896 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:40.319648027 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:44.055259943 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:44.077171087 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:44.077292919 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:44.077538967 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:44.099119902 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:44.099335909 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:44.298681974 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.009751081 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.031981945 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.098196030 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.098335981 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.099926949 CEST | 49174 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.121615887 CEST | 80 | 49174 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.234683990 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.898957968 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.921478033 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.949501038 CEST | 49173 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.950061083 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.972003937 CEST | 80 | 49173 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.972064018 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.972155094 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.972383976 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:45.995964050 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.996649981 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:45.996728897 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.123972893 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.204092979 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.226705074 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:46.226790905 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.648745060 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.670380116 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:46.670545101 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.761102915 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.782664061 CEST | 80 | 49177 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:46.784399033 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.797122955 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:46.818643093 CEST | 80 | 49177 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:46.818716049 CEST | 80 | 49177 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:47.029990911 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:48.832266092 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:48.854377031 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:49.057023048 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:49.742810965 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:49.764745951 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:49.804140091 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:49.826105118 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:49.826294899 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:49.977560043 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:50.034138918 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:50.055707932 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:50.055854082 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:50.293109894 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:50.315821886 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:50.315973043 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:51.823797941 CEST | 80 | 49177 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:51.824083090 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:51.824136972 CEST | 49177 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:51.845537901 CEST | 80 | 49177 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:54.770140886 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:54.770324945 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:54.770417929 CEST | 49175 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:30:54.792143106 CEST | 80 | 49175 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:55.319750071 CEST | 80 | 49176 | 194.34.232.147 | 192.168.2.22 |
Jun 16, 2022 13:30:55.320036888 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
Jun 16, 2022 13:31:55.315190077 CEST | 49176 | 80 | 192.168.2.22 | 194.34.232.147 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 194.34.232.147 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 13:30:34.278503895 CEST | 1 | OUT | |
Jun 16, 2022 13:30:34.300235033 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49174 | 194.34.232.147 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 13:30:40.071022034 CEST | 3 | OUT | |
Jun 16, 2022 13:30:40.092865944 CEST | 3 | IN | |
Jun 16, 2022 13:30:40.319480896 CEST | 3 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49175 | 194.34.232.147 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 13:30:44.077538967 CEST | 4 | OUT | |
Jun 16, 2022 13:30:44.099335909 CEST | 4 | IN | |
Jun 16, 2022 13:30:45.031981945 CEST | 5 | IN | |
Jun 16, 2022 13:30:45.921478033 CEST | 6 | IN | |
Jun 16, 2022 13:30:48.854377031 CEST | 10 | IN | |
Jun 16, 2022 13:30:49.764745951 CEST | 11 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49176 | 194.34.232.147 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 13:30:45.972383976 CEST | 7 | OUT | |
Jun 16, 2022 13:30:45.996649981 CEST | 7 | IN | |
Jun 16, 2022 13:30:46.204092979 CEST | 8 | OUT | |
Jun 16, 2022 13:30:46.226705074 CEST | 8 | IN | |
Jun 16, 2022 13:30:46.648745060 CEST | 8 | OUT | |
Jun 16, 2022 13:30:46.670380116 CEST | 9 | IN | |
Jun 16, 2022 13:30:49.804140091 CEST | 12 | OUT | |
Jun 16, 2022 13:30:49.826105118 CEST | 12 | IN | |
Jun 16, 2022 13:30:50.034138918 CEST | 13 | OUT | |
Jun 16, 2022 13:30:50.055707932 CEST | 13 | IN | |
Jun 16, 2022 13:30:50.293109894 CEST | 13 | OUT | |
Jun 16, 2022 13:30:50.315821886 CEST | 14 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49177 | 194.34.232.147 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 13:30:46.797122955 CEST | 9 | OUT | |
Jun 16, 2022 13:30:46.818716049 CEST | 10 | IN |
Target ID: | 0 |
Start time: | 13:30:17 |
Start date: | 16/06/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f950000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |