Windows
Analysis Report
icRTA4gcSe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 3024 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
INDICATOR_OLE_RemoteTemplate | Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
Click to see the 4 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Extracted files from sample: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 13 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 13 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
48% | Virustotal | Browse | ||
29% | Metadefender | Browse | ||
62% | ReversingLabs | Document-Office.Exploit.CVE-2022-30190 | ||
100% | Avira | W97M/Dldr.Agent.G1 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | JS/CVE-2022-30190.G | ||
100% | Avira | JS/CVE-2022-30190.G | ||
100% | Avira | JS/CVE-2022-30190.G |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s3-r-w.eu-west-2.amazonaws.com | 3.5.244.102 | true | false | high | |
sqdocs.s3.eu-west-2.amazonaws.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
3.5.246.192 | unknown | United States | 16509 | AMAZON-02US | false | |
3.5.244.102 | s3-r-w.eu-west-2.amazonaws.com | United States | 16509 | AMAZON-02US | false | |
52.95.148.170 | unknown | United States | 16509 | AMAZON-02US | false |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 685945 |
Start date and time: | 2022-08-18 01:54:42 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | icRTA4gcSe (renamed file extension from none to docx) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.expl.evad.winDOCX@1/18@7/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
s3-r-w.eu-west-2.amazonaws.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AMAZON-02US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
AMAZON-02US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
05af1f5ca1b87cc9cc9b25185115607d | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28546168775466585 |
Encrypted: | false |
SSDEEP: | 48:I3eMRBuhPaKP/G1svEPA7eJMw9mOrY149fn6FrwjtiXMiXsH:KNLKyKnA79fn6JDLsH |
MD5: | 819347F4E445339164B92BBC284DFC12 |
SHA1: | 781396E867E2EC6001C0E3158DB663604FDA8C5F |
SHA-256: | DD2FFBA4C1742BC78E9FDBDB47E876A391A4EFE0E2CAC23E9D182F0590701DB7 |
SHA-512: | 3F227DDE16D0521CB4AABBDEB14A29D293B5B15E9592520993D197697B2CAAA2AF8AC33294CA9DC19A58F7020FD9736224E9DF68D5A009393C40FABE2E4EDA5E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B11B56B7-FF16-4429-B914-E820C021DA19}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.6724360935500183 |
Encrypted: | false |
SSDEEP: | 96:KmfCyg5V7joGjWBkWphj3B4QPJC767fVrRR:zgQGa7fRfV |
MD5: | 96413703B72C526AA110FCAE29017058 |
SHA1: | 97232D47710AB7842FC9E432CD7BF87CE595B7E1 |
SHA-256: | EB406B0E2C455855011BDA7D02AF872159692917A4379D284F699E42000C0A83 |
SHA-512: | A36CB373E76DD795F821916E0AA8BE62C7F695D58044E98F94BFE92DB181F4D838F8E1D2329C62CB33FF8DD6A19FB850BDFAF9086EE8A83EB5A6270ECABE986E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9451300008641605 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzvKlTlIsTdld3eVl8hlMILlZ276:yPblzyrIQXeP8zMIf22 |
MD5: | 4B62421B1F4358F2D084FBF3591185C8 |
SHA1: | A52999672F6943C250B5B9C985984E155CD925DC |
SHA-256: | BF4A253C2EE0DB470F9662B54E074E55FF8B4CF3D506B61018B314C1B9FD6948 |
SHA-512: | A0623064339AA94377688A98FD377A95A8B050483F8CA9E1E5C90AA27E4154DC2210441DBA9C51089304CF444A9A7897B898505D187D3714B0BF0E37F4C5D5AA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28746439393875955 |
Encrypted: | false |
SSDEEP: | 48:I3CRBICnBS4hmtUKdx5t5Ido5di5N785LkrU5qKJ5AsKIKo5KobH:KCLj01Hqb8GU0YasrJrH |
MD5: | 1CF1F2C36141022DAEA5DE8B56035037 |
SHA1: | A91C691900D5C689B4A8D317012F426A6C9FE8F1 |
SHA-256: | 7F183CF286131B3B0AA3ACA6C95ABB323853DAFEB990BB07ABD882B816902166 |
SHA-512: | B71C7C9AD2F2CB652F9B38B6F1BFAEFBAA3E1C250E800FC827909FB77B1113F3A61EF4658ED42F605718409B00C7ABB94E16C65446780072486C1A028A3672B2 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7808CAC8-5245-4C0B-9091-621941B6E1B1}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22061925751546507 |
Encrypted: | false |
SSDEEP: | 24:I3FLwnM0B34XdkmXtUZi9zhA/0taMTw1ky4c+eqtqfBKa3gQtckWv9PgIi3YPqDX:I3FUrBq79C/yo210ulli3VTITc |
MD5: | 45FBD8495A8429D64F051DB0AC32F202 |
SHA1: | 7A06F13C88842D62F108EF611CAB885F893BC7DE |
SHA-256: | F370DD4FA387873D45BDC69DF3309E3509B61393F74D51730AB94908B18C5AC5 |
SHA-512: | 8E2A4DFBCA74D0A3D7E23641DDE0A28400C29ACD9AAD6A0140EF9B38DD522D22DF822A103E45F36D267B4E5BE0AFBFD98723FB216CB71BEFE5D31AF90DD172EE |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.983641926526995 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzwcklmFVknIGc6URlwRcgl276:yPblzhk8EnICXRD22 |
MD5: | 5BA39420AAAE5F8B988907E9625CAA17 |
SHA1: | 43E4A971951EAB9CC8C5E98F302C108D3DF606A7 |
SHA-256: | 7E3ADF522B61CD36D7E8ABBAB3A3F561F32A639C3050204E67712D6C465D5D82 |
SHA-512: | FBAA36AE24C2B2CC2124021045B2FEB87B2ABD3C77C99B8B64451449C44B2AEAE0127C00E25FF359BAEED1B8499D2232FAAB9F177CEBD79490058EEE386B345B |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fb0f9c45-fb5f-4690-9815-e11a762d4739[1].htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 6837 |
Entropy (8bit): | 0.861791117899086 |
Encrypted: | false |
SSDEEP: | 12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG |
MD5: | BFBFA8FDDA62476690C9077946372EAA |
SHA1: | BBD80340C07F716600B54242F11F25E1BDC442F2 |
SHA-256: | A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6 |
SHA-512: | 7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
IE Cache URL: | https://sqdocs.s3.eu-west-2.amazonaws.com/fb0f9c45-fb5f-4690-9815-e11a762d4739.html |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E839A722.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6837 |
Entropy (8bit): | 0.861791117899086 |
Encrypted: | false |
SSDEEP: | 12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG |
MD5: | BFBFA8FDDA62476690C9077946372EAA |
SHA1: | BBD80340C07F716600B54242F11F25E1BDC442F2 |
SHA-256: | A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6 |
SHA-512: | 7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBAE70F4.htm
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6837 |
Entropy (8bit): | 0.861791117899086 |
Encrypted: | false |
SSDEEP: | 12:qTWvzSExH8d2GZf1NGwtMQwue4Sv8VM1Gb:0WradlR1N7GD34S0VMG |
MD5: | BFBFA8FDDA62476690C9077946372EAA |
SHA1: | BBD80340C07F716600B54242F11F25E1BDC442F2 |
SHA-256: | A353DB4CFD64F1876F3F99BE6481189DBF5E770D71B8D03CBA84FF551EDBCDC6 |
SHA-512: | 7B234021E52E4CA1B14F93F12CC23DD61B135DCC57512672BF97DC1CC2D964072DB2F82E91CBDFCA41177D3B707E98F1C895C094D0D237A3505BB2606B8FD5CC |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{855EAE4E-7E59-44E5-8AE0-040E73EE4059}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5632 |
Entropy (8bit): | 2.426355213517755 |
Encrypted: | false |
SSDEEP: | 24:rk+AK/PlpJbtOw5vKAB4cn3lWnoAABsigtOw5vKABOKABsiI:rk+1n7t5vKjW3TAxiSt5vK1Kxi |
MD5: | D0556DD3F824845B8273E5E41479D916 |
SHA1: | 15571D97AB15114444C8D1417EA4385B08A95AAC |
SHA-256: | 5F977543C7268FB6319F49174CA499F7280C60619EB293710530F3DA70DD7D56 |
SHA-512: | C2F89215A9F603F9053DDF9101B818322D778E99006436F5B70F0B21285578DE1F8E83780B8C92E3EF8A33D75230FA4E24670CD7FAD2A6560CA5B1CA22335C8C |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{903BB447-6E72-4B36-901B-CD1D48C95A6E}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.0893697448949966 |
Encrypted: | false |
SSDEEP: | 6:olgI5lNcYeupcIupMzId5XwPB8EURyajJ2QN/wPxZSu7mN:4veIcIUMcd5AB8uWJ2LZS1 |
MD5: | AAA6D6B978FBAFCD5DD76FAC163C7DE5 |
SHA1: | 82815A1CE8117B7B3EF81BB8E098CFA21DC0A62C |
SHA-256: | 7BC2DB1BBCF5FE247881220B96C3F0901535FAE1D23499ADE5F1BC477E676657 |
SHA-512: | 8131699881585D82A05E86BEEB725C94D31224E8FE01415B6961172013DEE1CD440D18D1FFDB3C4AE11017D2DE6113E9DB875D73F706551CBA84057137EC9A11 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CFED663A-BFB4-4992-A74D-FB6645F47512}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02562575380283315 |
Encrypted: | false |
SSDEEP: | 6:I3DPcYT8i4HvxggLR9CeXA4NN1Jz7RXv//4tfnRujlw//+GtluJ/eRuj:I3DPKPDr3zdvYg3J/ |
MD5: | A68E81A344AB9C81C9BC70AE0905482B |
SHA1: | F4906409313793A5A995A888182056AE985A6B67 |
SHA-256: | 1D1FA63626F3B3B34AB323C760173C1332846F07933A256F2EB07E974CE41E03 |
SHA-512: | CE2E7D51E75240A035688C7C152A50A3541E542C465A13AE3172F385623A0C171522953AD2684977E98768956F9E1F5B5ED6D6AE9D0C5AD1B6E4A2250311E010 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02558447946861823 |
Encrypted: | false |
SSDEEP: | 6:I3DPcLkMuX2bvxggLRPV1TPlW6RXv//4tfnRujlw//+GtluJ/eRuj:I3DPjMNjV1TPDvYg3J/ |
MD5: | 71384542A463819B0830984AE4F98E11 |
SHA1: | DEA21C166A54CF414730E9084A74B4BA7DD63E3A |
SHA-256: | 0E5CBD34A6F6EE79FF97B80B9DA9FDB3DCB529098940A7A152943B6C8AA5ADF2 |
SHA-512: | 8ED44F5336445FC9E1CEA6E7F906A003B731B692594CD358A78696922B874265B8E162F3B62119FD2EBDE00AA8CBC47900554417DE4395A5643D8339F50BCB6A |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.556276070350963 |
Encrypted: | false |
SSDEEP: | 24:8qZk/XTRKJRO2XInaNey0znoDv3qc4u7D:8qZk/XT0R6aNaz3f0D |
MD5: | DB94315235E4893B9DAEB87DEA673DC9 |
SHA1: | D6AF234C06E316F44425FBCDB18382812BDE591C |
SHA-256: | F285EEA55EAB1054656109D1E28CFFEFD9FBA6077F948E8886430DB09A43EDB8 |
SHA-512: | F31D1418E6ED4668C941DB51AEBFDB4A27A8DAE45481DB78BD279DFFA79FAE9CFE5AF6732E6D8F550DEAEB823B611EA6EEE5B10CCE827246B893F239B34B39E1 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 4.680584037314278 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlUGBkRMApSmxWHgiRMApSv:bC+Y |
MD5: | 53C3D14293FED3A106A4BBFA435C6D6D |
SHA1: | 7B94F89CF983DB252AC21359B6F9F428894FA26F |
SHA-256: | FFE1538C5E2466AE8313ECA1BC671BB1E83CBDEE9E38235EE205BD3C464CE918 |
SHA-512: | D41CDCF858E0210DB88477FB65A8D9DEA6CDA26590D536B1027506AC63BE6AABCE98289F3C7B5867D7892DBBBCF2D1E045FF4B9C2A81841BB7CF6A028D8B3E0E |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.342099959599253 |
TrID: |
|
File name: | icRTA4gcSe.docx |
File size: | 11588 |
MD5: | 9873ccaccab0237bf533324f69dff3b3 |
SHA1: | 29d098d9ddf7e425413817089beb2eb14c91bc64 |
SHA256: | 05625644a2e070d4780822daf7126f408ec0db9881a9995dc24ee500b624a198 |
SHA512: | 882c74e579e8aa9cc9fff1eb29c9f01a7a8c85fbff836676f79eedf1fbd5eedce1872977935e68faa59dc3049095b40f19b06e43717bead435a0e22c070cc962 |
SSDEEP: | 192:CtIWmk402hTZ3S7Ok0lyCpLpYBV7PuNrxnpApwzxux:aIWmkIhTZC789YBY9Vzxux |
TLSH: | BB32BF37CE46E822C641C87871D942EFF32C4797A715CBDB414E52C6149738A23BEE29 |
File Content Preview: | PK..........!....lZ... .......[Content_Types].xml ...(......................................................................................................................................................................................................... |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 01:55:36.125607014 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.125644922 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.128518105 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.135190010 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.135205984 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.259619951 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.259758949 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.272383928 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.272414923 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.272818089 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.272906065 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.574213982 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610374928 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.610465050 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610624075 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.610676050 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610704899 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.610740900 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610759020 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.610800028 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610905886 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610920906 CEST | 443 | 49173 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:36.610930920 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:36.610966921 CEST | 49173 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:42.608117104 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.608206034 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.608326912 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.609107018 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.609138966 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.724134922 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.724317074 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.740303993 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.740350008 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.741024971 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.772023916 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.815366983 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.828835964 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.828895092 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.829138041 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.829344034 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.829380035 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:42.829469919 CEST | 49174 | 443 | 192.168.2.22 | 3.5.246.192 |
Aug 18, 2022 01:55:42.829488039 CEST | 443 | 49174 | 3.5.246.192 | 192.168.2.22 |
Aug 18, 2022 01:55:49.094383001 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.094430923 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.094513893 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.094685078 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.094698906 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.202418089 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.202544928 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.210449934 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.210472107 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.213171005 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.213186979 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.267653942 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.267832041 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.267858028 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.267931938 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.267949104 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.267965078 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.268089056 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.268238068 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.271374941 CEST | 49179 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.271401882 CEST | 443 | 49179 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.465087891 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.465141058 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.465229988 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.465667009 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.465696096 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.580333948 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.580420017 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.588308096 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.588336945 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.592042923 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.592061043 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.649596930 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.649720907 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.649743080 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.649780035 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.649816036 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.649847031 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.649908066 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.649928093 CEST | 443 | 49180 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.649936914 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.650015116 CEST | 49180 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.841377974 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.841432095 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.841507912 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.841787100 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.841803074 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.956001043 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.956197023 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.969937086 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.969959974 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:49.973481894 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:49.973499060 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.022438049 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.022537947 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.022545099 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.022598982 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.022664070 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.022684097 CEST | 443 | 49181 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.022696972 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.022742987 CEST | 49181 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.040566921 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.040596008 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.040657997 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.041404963 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.041415930 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.149288893 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.149471045 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.167557001 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.167572975 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.170388937 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.170406103 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.205600023 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.205756903 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.205760002 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.205847025 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.205962896 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.205976009 CEST | 443 | 49182 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.205985069 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.206105947 CEST | 49182 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.304431915 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.304481030 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.304564953 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.305003881 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.305022955 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.420042038 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.420150995 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.428646088 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.428683996 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.429462910 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.438299894 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.479389906 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.497262955 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.497385025 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.497427940 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.497473955 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.497490883 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.497509003 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.497539997 CEST | 49183 | 443 | 192.168.2.22 | 52.95.148.170 |
Aug 18, 2022 01:55:50.497546911 CEST | 443 | 49183 | 52.95.148.170 | 192.168.2.22 |
Aug 18, 2022 01:55:50.510514975 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.510581017 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.510674953 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.510879040 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.510905981 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.616765976 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.616858959 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.627726078 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.627751112 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.630455971 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.630467892 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.684575081 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.684695005 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.684717894 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.684741974 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.684803963 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.687773943 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.690954924 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.690982103 CEST | 443 | 49184 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.690990925 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.691052914 CEST | 49184 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.696475029 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.696523905 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.696598053 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.696810007 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.696835041 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.814220905 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.814347982 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.821496964 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.821533918 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.824235916 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.824259996 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.881546974 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.881648064 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:50.881670952 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.881767035 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.881958008 CEST | 49185 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:50.881969929 CEST | 443 | 49185 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.109143019 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.109193087 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.109270096 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.109585047 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.109603882 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.217353106 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.217545986 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.230094910 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.230104923 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.233989000 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.234002113 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.288229942 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.288347960 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.288368940 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.288444996 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.288503885 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.288572073 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.288634062 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.288649082 CEST | 443 | 49186 | 3.5.244.102 | 192.168.2.22 |
Aug 18, 2022 01:55:51.288702965 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Aug 18, 2022 01:55:51.288727045 CEST | 49186 | 443 | 192.168.2.22 | 3.5.244.102 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 01:55:36.086070061 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:36.106134892 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:42.564024925 CEST | 49688 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:42.583273888 CEST | 53 | 49688 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:42.586708069 CEST | 58836 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:42.606504917 CEST | 53 | 58836 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:48.337165117 CEST | 50134 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:48.356043100 CEST | 53 | 50134 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:48.358426094 CEST | 55275 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:48.380167007 CEST | 53 | 55275 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:50.260698080 CEST | 59915 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:50.282433987 CEST | 53 | 59915 | 8.8.8.8 | 192.168.2.22 |
Aug 18, 2022 01:55:50.285867929 CEST | 54408 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 01:55:50.302962065 CEST | 53 | 54408 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 18, 2022 01:55:36.086070061 CEST | 192.168.2.22 | 8.8.8.8 | 0xbf6d | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:42.564024925 CEST | 192.168.2.22 | 8.8.8.8 | 0xc1d2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:42.586708069 CEST | 192.168.2.22 | 8.8.8.8 | 0xfa76 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:48.337165117 CEST | 192.168.2.22 | 8.8.8.8 | 0xf2ca | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:48.358426094 CEST | 192.168.2.22 | 8.8.8.8 | 0xdc64 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:50.260698080 CEST | 192.168.2.22 | 8.8.8.8 | 0x2c12 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 18, 2022 01:55:50.285867929 CEST | 192.168.2.22 | 8.8.8.8 | 0xb92a | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 18, 2022 01:55:36.106134892 CEST | 8.8.8.8 | 192.168.2.22 | 0xbf6d | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:36.106134892 CEST | 8.8.8.8 | 192.168.2.22 | 0xbf6d | No error (0) | 3.5.244.102 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:42.583273888 CEST | 8.8.8.8 | 192.168.2.22 | 0xc1d2 | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:42.583273888 CEST | 8.8.8.8 | 192.168.2.22 | 0xc1d2 | No error (0) | 3.5.246.192 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:42.606504917 CEST | 8.8.8.8 | 192.168.2.22 | 0xfa76 | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:42.606504917 CEST | 8.8.8.8 | 192.168.2.22 | 0xfa76 | No error (0) | 52.95.148.114 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:48.356043100 CEST | 8.8.8.8 | 192.168.2.22 | 0xf2ca | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:48.356043100 CEST | 8.8.8.8 | 192.168.2.22 | 0xf2ca | No error (0) | 3.5.246.154 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:48.380167007 CEST | 8.8.8.8 | 192.168.2.22 | 0xdc64 | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:48.380167007 CEST | 8.8.8.8 | 192.168.2.22 | 0xdc64 | No error (0) | 52.95.149.186 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:50.282433987 CEST | 8.8.8.8 | 192.168.2.22 | 0x2c12 | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:50.282433987 CEST | 8.8.8.8 | 192.168.2.22 | 0x2c12 | No error (0) | 52.95.148.170 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 01:55:50.302962065 CEST | 8.8.8.8 | 192.168.2.22 | 0xb92a | No error (0) | s3-r-w.eu-west-2.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 18, 2022 01:55:50.302962065 CEST | 8.8.8.8 | 192.168.2.22 | 0xb92a | No error (0) | 52.95.148.86 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:36 UTC | 0 | OUT | |
2022-08-17 23:55:36 UTC | 0 | IN | |
2022-08-17 23:55:36 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49174 | 3.5.246.192 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:42 UTC | 0 | OUT | |
2022-08-17 23:55:42 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49179 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:49 UTC | 1 | OUT | |
2022-08-17 23:55:49 UTC | 1 | IN | |
2022-08-17 23:55:49 UTC | 2 | IN | |
2022-08-17 23:55:49 UTC | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49180 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:49 UTC | 9 | OUT | |
2022-08-17 23:55:49 UTC | 9 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49181 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:49 UTC | 9 | OUT | |
2022-08-17 23:55:50 UTC | 9 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.22 | 49182 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:50 UTC | 10 | OUT | |
2022-08-17 23:55:50 UTC | 10 | IN | |
2022-08-17 23:55:50 UTC | 10 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
6 | 192.168.2.22 | 49183 | 52.95.148.170 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:50 UTC | 11 | OUT | |
2022-08-17 23:55:50 UTC | 11 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
7 | 192.168.2.22 | 49184 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:50 UTC | 11 | OUT | |
2022-08-17 23:55:50 UTC | 12 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
8 | 192.168.2.22 | 49185 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:50 UTC | 12 | OUT | |
2022-08-17 23:55:50 UTC | 12 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
9 | 192.168.2.22 | 49186 | 3.5.244.102 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-17 23:55:51 UTC | 13 | OUT | |
2022-08-17 23:55:51 UTC | 13 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 01:55:14 |
Start date: | 18/08/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13ff90000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |