Edit tour
Windows
Analysis Report
order.docx
Overview
General Information
Detection
CVE-2021-40444
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected CVE-2021-40444 exploit
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Classification
- System is w7x64
- WINWORD.EXE (PID: 1288 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
EXPL_CVE_2021_40444_Document_Rels_XML | Detects indicators found in weaponized documents that exploit CVE-2021-40444 | Jeremy Brown / @alteredbytes |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Exploits |
---|
Source: | Extracted files from sample: |
Source: | File opened: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | ReversingLabs: |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 13 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Non-Application Layer Protocol | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 12 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
69% | ReversingLabs | Document-Office.Exploit.CVE-2021-40444 | ||
100% | Avira | EXP/CVE-2021-40444.Gen |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
polpharmar.com | 91.235.116.180 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.235.116.180 | polpharmar.com | Romania | 51177 | THCPROJECTSRO | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 676557 |
Start date and time: 01/08/202210:48:37 | 2022-08-01 10:48:37 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | order.docx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.expl.evad.winDOCX@1/20@7/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
- VT rate limit hit for: order.docx
⊘No simulations
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
91.235.116.180 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
THCPROJECTSRO | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
⊘No context
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28806523107588966 |
Encrypted: | false |
SSDEEP: | 48:I35TRB9NE4co0pOXJL2lgH2SEAFdGJhLeo7dgThb87lrTArRmLRm/H:K5TLchZGJSlnfSdchmtw7pEH |
MD5: | 69E01CD5678E2F435A5DA3DD7098792D |
SHA1: | CD9B07B23BC125CA6AA49FA9ABF57D19D475F488 |
SHA-256: | 4891EF6EBC9EFA8EE67F0B6A02B2C3D4C76D13AF8B23DA56FC5F82F94325EA8D |
SHA-512: | FDFB7DC1C79983438B5F5162AA1DAB10B28A6FF4F3D24B1F8E85C0275C449305D8DDF6FA75710CB8E9AA1C3E0FEFE6EB32579782B1E75B7D91A9426102D6A158 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BDA067BC-A85F-4D09-B1E2-A27A26259E72}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6680333186685128 |
Encrypted: | false |
SSDEEP: | 96:KxaCyc4zzRrdrhr1elVrf7oGzx54HU0HU5LLs1BQM8rDdTM8rDk9rrFF9rrF:jc45Np1eXMGzDU78LsHQ7tT7sFHF |
MD5: | 0F9367D91948664C4F0693A5B2D1F022 |
SHA1: | 87640D1AE4FF977D2262FB54BFC5B84DB76EDFB2 |
SHA-256: | F5B4FDE36B3E368EE7C6E745D715BE2658F830B88C6F411D82C3E16B0BC713B6 |
SHA-512: | FEB40E2A419901F30C4FB9EBDEF7713D947AE18421D5B97270DF5B067F42D0D3EAEFFEE6620DB83B5BADA053367C5960F767E71A021140A47723607FCF440318 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9684196678119985 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzolVJIyrnWWDhPN3IlkNlZZglc9NCR5l276:yPblzolUW1T4+wlc9ot22 |
MD5: | B3F9E95F032199D9FFC42A0D17DB4430 |
SHA1: | 3B883B7D1150D9832CBC819C1852D96B2FD6FF21 |
SHA-256: | 9A45C47B86B253B8AF932AF843250F11E722706F79CDDB7D103971C08E4F8C29 |
SHA-512: | 773C82C9CB1E761B3051473129F93AC19DE9BD4E8C9F437176BEC12D308CF27A5E6260A6D47E5E3F2609C9BBC7A0B625D72EE29C781275A335CA996066F6B2A7 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2879180121063263 |
Encrypted: | false |
SSDEEP: | 48:I3sRBLontTzybGrn7ndxYyK2cw/SgR5ErBQqeQqNH:KsLMnJzybyn7nrYy3DUBQ5Q+H |
MD5: | 12C0319349817D1200BD72928EFF5130 |
SHA1: | 2659A8308AC1006515BFDF4D53B14C9F69F7E102 |
SHA-256: | 9C3F839DC9BE9306C246846AFE3ADBBABB4A4D91210176C0B00AC7D7CBAB88D3 |
SHA-512: | D00FE147BB8D3089B1927875019FA13F5401C62FA82A33821E22AE94DDF8CB7273365748558184B0BF12FEFAC93D2B089BD9B14BDFE5C4CFAA33928D0FB26BE3 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{87FAB0B5-CE0C-4484-80A4-0721760F3A7E}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22123534710596615 |
Encrypted: | false |
SSDEEP: | 48:I3fZUrBKp51f1h0gL1U0/k1t81Z1tubFpZ+18Z+11:KfZCKp51f1z1jk1W1Z1t0o18o11 |
MD5: | 05B01089293DF5BB27FED11ECA430E6F |
SHA1: | 92D1D51F3A1262A740E2239D66759BD14F5583DB |
SHA-256: | 8DFBEF5045064D09CC51B199192171E1B147A5404F9EA799B4260F960E56AAC7 |
SHA-512: | 48EE074EA044A608B5BEF00AF6B72A5865E58F133C16C3FFCEB35D568B7332F49052689340204F119666B15B17F0DB3C4794C3C026CA13F5E1955F13B78B1677 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9574976283572916 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlz4jlG9KSlhmSLlYnPkRIlPSNr7ljtlWglIRZ276:yPblzqhSaS6nPkRIdSPpYglIf22 |
MD5: | 47E62973D3D4A696C9CB8D121EC7DDAA |
SHA1: | 43F1A500741C399A6ADC55BC1013BB0F917F2F20 |
SHA-256: | 209521C1D97FEA95A89C0C09038668F492955E29CDB45180C891D78B86782AB9 |
SHA-512: | DA70307E906E96DFD37DAF5201FB02B6F9CAFE8D4E9455B4FF98DE61E43861C0CB244578AA768ED238DA95CEDBD8A1FEC016F8AD8F4FA2018B20602BD9E435F4 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\test[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 12744 |
Entropy (8bit): | 6.075581200829705 |
Encrypted: | false |
SSDEEP: | 192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D |
MD5: | 2E15CCD20E7E02ED1F80CB3557FA4E89 |
SHA1: | B7C97A67705C420A5246E9C9BB39720B4E1B5FC0 |
SHA-256: | 78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0 |
SHA-512: | FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81 |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://polpharmar.com/test.html |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14683F8F.jpg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 428988 |
Entropy (8bit): | 7.450719655008162 |
Encrypted: | false |
SSDEEP: | 12288:hMx4+OsFSHQoWeN/aj0k6GgqPbTwlc08ZJ:hMmWeN/XegqPb7J |
MD5: | E8C7DD6A2DED0B1A7C8F5C15FE284802 |
SHA1: | B93D9DC1405EE585DEC160FD0B0E7F2AF0D269A0 |
SHA-256: | 82C2564BFE32D9FCA3B4919AD2FAA4AD8DFCBEC0DD7A1C50C7B1228DD6FF2AB4 |
SHA-512: | 6100C0A1C357E6B05AFE3367B9CA5425C2FE81393E35B1297F9D7AFC5F1F07832B9CD0C26E9142A3BEE6086C6201BE2F2F4345A09044A8DBA49EEAF91B882FEF |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51B846.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 12744 |
Entropy (8bit): | 6.075581200829705 |
Encrypted: | false |
SSDEEP: | 192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D |
MD5: | 2E15CCD20E7E02ED1F80CB3557FA4E89 |
SHA1: | B7C97A67705C420A5246E9C9BB39720B4E1B5FC0 |
SHA-256: | 78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0 |
SHA-512: | FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B00ABF75.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 12744 |
Entropy (8bit): | 6.075581200829705 |
Encrypted: | false |
SSDEEP: | 192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D |
MD5: | 2E15CCD20E7E02ED1F80CB3557FA4E89 |
SHA1: | B7C97A67705C420A5246E9C9BB39720B4E1B5FC0 |
SHA-256: | 78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0 |
SHA-512: | FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 1.9630438652210782 |
Encrypted: | false |
SSDEEP: | 12:rl3bn+HFADYWtaoa5sQ2p0hCXhlSRmCRncKvjMKvqrCJo0nKvqFn7i1X4CIX4X4h:rbR6Op0rRjRcSgSTSWio4VR |
MD5: | D164864528BA69AE924554E4638BA1A6 |
SHA1: | 7257FD1CC0A67FCEBAB6E078533460C45AAF3BBA |
SHA-256: | 36072BAE47AEB89D82C4E9AEAC305591853FB3B5FB5F328B41429E1AD583743E |
SHA-512: | A204231FB6CAC172B2B3CBBAA2D27245B150300D601E948A4A556A560C6FBC2B00295EED81CA8F443285ABFDA149BD780FDA65E80B4DD6EAB2F82D8B38740728 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2888 |
Entropy (8bit): | 2.4712779761264723 |
Encrypted: | false |
SSDEEP: | 24:yFChNWhYG5laEUSsSkS90J+RTskGsAwMKinefAtHDlMsGf2KvBS4OxM:yEXWhh7CSsSkF7kPn/inOA7PJIg4O2 |
MD5: | FE62A27FE716EDD8CA556BD4BD4936B3 |
SHA1: | F16D68DCF3F5B66BC8632362A5582EC266403AA6 |
SHA-256: | 50EF0BFE8FAD94DF14E78769F0DD6259B960DB21348B6BBD5B5A66D94B8968DE |
SHA-512: | 55BA43A5A2811C5A421BCC154B4687D9D002B8F6D86357DB26C9725928F032B9742B52910F292FFFCDFC56FF9862497BF7BB26B19CE7613EC22BE6FFB298FFDA |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025534580459190742 |
Encrypted: | false |
SSDEEP: | 6:I3DPc0hV42J9vxggLRCg/gEQtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpH/glvYg3J/ |
MD5: | 019F974878CAE2B3FC1E26BD4B84F84D |
SHA1: | 24025E2DDB9FB1A00CC767A59E5965DC7FDAB99A |
SHA-256: | 543C4D8F2C76D81913B99D569286D61D0FB1538EE499019BB6B8A3C1564F35D2 |
SHA-512: | 670AAA166C8D0E5EA133CB9E850291D0F263D4DC0A07961A300EE561D10C970181D558D61BD6D35A85CC2ED451B464A5FB4170F02F1CE6D09B8BB4EFA38D98C9 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02561327614152181 |
Encrypted: | false |
SSDEEP: | 6:I3DPcO7mRvxggLRtuGBTw2RXv//4tfnRujlw//+GtluJ/eRuj:I3DPNCQ40evYg3J/ |
MD5: | 7C0D380D75B07C76F90A64BC0C0BB4C4 |
SHA1: | 97263771B651F3607BA16EE1091E4E0470D0D0A1 |
SHA-256: | 637759E0BB88213E39C092E9150B36626FD34A2D81D3C11301EDA229B0EB6C75 |
SHA-512: | 355EC0BFB45F9D4D1E46A179A1FF2C46327EBA12B69109D331B8818A8CC65D0532FE2AC70120C7C430AB0C350E96A645504F292907A427E247EFD345388E4A84 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 62 |
Entropy (8bit): | 4.385929384302707 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlSmNrFomxWBGrFov:bCYN5yG5y |
MD5: | 6E65A4A82201A6E784741E067206F0FF |
SHA1: | D87C02C96364F566BC9D1BD0731EEABCB675D396 |
SHA-256: | 0DD74BE8D4947A9D214C3996F2B1DAA7489CAEF559D564888A14252FB6F62C9E |
SHA-512: | 85154A06C9B0B429EDD011B6D971135C08DBE1AC3873AF3E61992980EB8573338D704D89BDE19C9527822A435CFDFDEE151574794E8F3A9EC48C626BABDD05BD |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 992 |
Entropy (8bit): | 4.5589914149078465 |
Encrypted: | false |
SSDEEP: | 12:8x94II0gXg/XAlCPCHaXMBzB/nPyX+WeNGY5i+VicvbcHfZpzNDtZ3YilMMEpxRN:8x9Ik/XT89dqwQZ3eQH5Dv3qIu7D |
MD5: | 52F509E11A66BB60D5E215CECE2B2DDA |
SHA1: | 2936E51CCCE4FA3D3B96AD0A73A3601D4E1448CF |
SHA-256: | A0890DE7166F147DDC6289D55DA4E1C2E549CAF2BB94AF5EFC13C6E8BE0DAEAF |
SHA-512: | 2CE4423374F89F3EFC652AD8D0459F2E4511DD20010B85155DDF3190F5C63E8026F8ED50941590C99AB6B1CDFFFD7C0D071A08EE8108A8EF6293ADA7AE20F97F |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:Qn:Qn |
MD5: | F3B25701FE362EC84616A93A45CE9998 |
SHA1: | D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB |
SHA-256: | B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
SHA-512: | 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.996855978259955 |
TrID: |
|
File name: | order.docx |
File size: | 327439 |
MD5: | 8abea2d6c14af54c6eac09d158554085 |
SHA1: | 3802d9c8b3530fe7b140cbd4a12c3895c46077b2 |
SHA256: | aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412 |
SHA512: | 81bc9de694da797127ae09ac5a8e1d630981482e60343d870d6f106752af3bb2a9330852be728c2293a29c890f5d21b31ba820712a052fbc847d0fc06473050d |
SSDEEP: | 6144:khRfXb0GPobJUS8LOtB2x4FSTiSwQOV9Wojlv1CkMb02AxNw+w1m:khRfYGP+JUFOt9einQOKq/Mb0o1m |
TLSH: | 586423C4AAACFCC9E7DC2589E87343F871492954527C9B33E00274AC4DA7292EE77B10 |
File Content Preview: | PK.........g.T..'.d...T.......[Content_Types].xmlUT...S|.bS|.bS|.b...n.0.E......(1tQU..E.......=.n..m^..1..B)..l"%3....5..Z.l.>HkJ2(.$.........9.#Y.......l ....j8.8...M(.<FwOi.s.,....Je.f._}M.....z...RnM....<.h...[..=..s....${h...$.9%9.X.K#.(..P.r......6. |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 1, 2022 10:49:38.572686911 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:38.621368885 CEST | 80 | 49171 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:38.621476889 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:38.621876955 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:38.670455933 CEST | 80 | 49171 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:38.674829960 CEST | 80 | 49171 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:38.674990892 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:43.679717064 CEST | 80 | 49171 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:43.679815054 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:44.537843943 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:44.586576939 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:44.586747885 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:44.586869001 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:44.635643005 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:44.636255026 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:44.846836090 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:44.884654045 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:44.884814978 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.640113115 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:49.640312910 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.640367985 CEST | 49172 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.689097881 CEST | 80 | 49172 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:49.881912947 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.930389881 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:49.930533886 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.930742979 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:49.978899002 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:49.981864929 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:50.182560921 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:50.230763912 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:50.230948925 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:51.319211960 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:51.371577978 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:51.571059942 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.743328094 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.796791077 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.844263077 CEST | 49171 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.844916105 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.893034935 CEST | 80 | 49171 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.893435955 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.893615007 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.900791883 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.949476957 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950392962 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950459957 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950469017 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950470924 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.950478077 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950488091 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950506926 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950517893 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.950521946 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950537920 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950544119 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.950552940 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950567007 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:52.950567961 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.950597048 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.950613976 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.954075098 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:52.990808010 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:53.274751902 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:53.324143887 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:53.329531908 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:53.569763899 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:53.619056940 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:53.619286060 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:54.343363047 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:54.391961098 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:54.392148018 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:54.392364979 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:54.440833092 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:54.441466093 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:54.644490957 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:54.690577030 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:54.690649033 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:55.436187983 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:55.487442970 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:55.689749002 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:56.788990974 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:56.839572906 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:56.855813026 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:56.904831886 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:56.905010939 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:56.926876068 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:56.976238966 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:56.976454020 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:57.047100067 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:57.166090012 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:57.215281963 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:57.215473890 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:59.447031021 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:49:59.447299957 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:59.448188066 CEST | 49175 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:49:59.496814013 CEST | 80 | 49175 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:50:01.844790936 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:50:01.844955921 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:50:01.844994068 CEST | 49173 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:50:01.893204927 CEST | 80 | 49173 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:50:02.219672918 CEST | 80 | 49174 | 91.235.116.180 | 192.168.2.22 |
Aug 1, 2022 10:50:02.219764948 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Aug 1, 2022 10:51:03.713165045 CEST | 49174 | 80 | 192.168.2.22 | 91.235.116.180 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 1, 2022 10:49:38.539911985 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:38.559703112 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:44.487778902 CEST | 49688 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:44.505176067 CEST | 53 | 49688 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:44.509357929 CEST | 58836 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:44.536066055 CEST | 53 | 58836 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:49.798683882 CEST | 50134 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:49.816215992 CEST | 53 | 50134 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:49.818392038 CEST | 55275 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:49.880886078 CEST | 53 | 55275 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:54.283454895 CEST | 59915 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:54.311333895 CEST | 53 | 59915 | 8.8.8.8 | 192.168.2.22 |
Aug 1, 2022 10:49:54.323168039 CEST | 54408 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 1, 2022 10:49:54.342415094 CEST | 53 | 54408 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 1, 2022 10:49:38.539911985 CEST | 192.168.2.22 | 8.8.8.8 | 0xdd01 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:44.487778902 CEST | 192.168.2.22 | 8.8.8.8 | 0x53f0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:44.509357929 CEST | 192.168.2.22 | 8.8.8.8 | 0x4117 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:49.798683882 CEST | 192.168.2.22 | 8.8.8.8 | 0xdc64 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:49.818392038 CEST | 192.168.2.22 | 8.8.8.8 | 0xbe50 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:54.283454895 CEST | 192.168.2.22 | 8.8.8.8 | 0xb76d | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 1, 2022 10:49:54.323168039 CEST | 192.168.2.22 | 8.8.8.8 | 0x5851 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 1, 2022 10:49:38.559703112 CEST | 8.8.8.8 | 192.168.2.22 | 0xdd01 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:44.505176067 CEST | 8.8.8.8 | 192.168.2.22 | 0x53f0 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:44.536066055 CEST | 8.8.8.8 | 192.168.2.22 | 0x4117 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:49.816215992 CEST | 8.8.8.8 | 192.168.2.22 | 0xdc64 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:49.880886078 CEST | 8.8.8.8 | 192.168.2.22 | 0xbe50 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:54.311333895 CEST | 8.8.8.8 | 192.168.2.22 | 0xb76d | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) | ||
Aug 1, 2022 10:49:54.342415094 CEST | 8.8.8.8 | 192.168.2.22 | 0x5851 | No error (0) | 91.235.116.180 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49171 | 91.235.116.180 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 1, 2022 10:49:38.621876955 CEST | 0 | OUT | |
Aug 1, 2022 10:49:38.674829960 CEST | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49172 | 91.235.116.180 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 1, 2022 10:49:44.586869001 CEST | 1 | OUT | |
Aug 1, 2022 10:49:44.636255026 CEST | 2 | IN | |
Aug 1, 2022 10:49:44.884654045 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49173 | 91.235.116.180 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 1, 2022 10:49:49.930742979 CEST | 3 | OUT | |
Aug 1, 2022 10:49:49.981864929 CEST | 3 | IN | |
Aug 1, 2022 10:49:50.230763912 CEST | 4 | IN | |
Aug 1, 2022 10:49:51.319211960 CEST | 4 | OUT | |
Aug 1, 2022 10:49:51.371577978 CEST | 4 | IN | |
Aug 1, 2022 10:49:52.743328094 CEST | 5 | OUT | |
Aug 1, 2022 10:49:52.796791077 CEST | 5 | IN | |
Aug 1, 2022 10:49:55.436187983 CEST | 22 | OUT | |
Aug 1, 2022 10:49:55.487442970 CEST | 23 | IN | |
Aug 1, 2022 10:49:56.788990974 CEST | 23 | OUT | |
Aug 1, 2022 10:49:56.839572906 CEST | 24 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49174 | 91.235.116.180 | 80 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Aug 1, 2022 10:49:52.900791883 CEST | 6 | OUT | |
Aug 1, 2022 10:49:52.950392962 CEST | 7 | IN |