Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED |
Source: unknown |
Network traffic detected: HTTP traffic on port 49171 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49171 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49172 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49172 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49173 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49173 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49174 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49174 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49175 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49175 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49176 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49176 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49177 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49177 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49178 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49178 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49179 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49179 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49180 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49180 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49181 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49181 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.33.231.81 |
Source: dump.pcap, type: PCAP |
Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784 |
Source: document.xml.rels, type: SAMPLE |
Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0 |
Source: document.xml.rels, type: SAMPLE |
Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm, type: DROPPED |
Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm, type: DROPPED |
Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm, type: DROPPED |
Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784 |
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr |
OLE document summary: title field not present or empty |
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr |
OLE document summary: author field not present or empty |
Source: ~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp.0.dr |
OLE document summary: edited time not present or 0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49171 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49171 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49172 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49172 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49173 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49173 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49174 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49174 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49175 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49175 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49176 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49176 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49177 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49177 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49178 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49178 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49179 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49179 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49180 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49180 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49181 -> 62563 |
Source: unknown |
Network traffic detected: HTTP traffic on port 62563 -> 49181 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |