Windows Analysis Report
fHER4lglqY

Overview

General Information

Sample Name: fHER4lglqY (renamed file extension from none to docx)
Analysis ID: 685991
MD5: 6878265f91c6cb31618ad8ff45891f60
SHA1: 178c99c6b3ad6e1e835b2325b0d9a023d61d6d64
SHA256: 2f75f6ee9ba9ef599dff95249a32312bb457ea34d5e25dec338b803c312221a0
Infos:

Detection

Follina CVE-2022-30190
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: fHER4lglqY.docx Avira: detected
Multi AV Scanner detection for submitted file
Source: fHER4lglqY.docx Virustotal: Detection: 25% Perma Link
Source: fHER4lglqY.docx Metadefender: Detection: 22% Perma Link
Source: fHER4lglqY.docx ReversingLabs: Detection: 48%
Antivirus detection for URL or domain
Source: https://2hell.nl/follina/poc.html Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://2hell.nl/follina/poc.html Virustotal: Detection: 10% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED
Detected suspicious Microsoft Office reference URL
Source: document.xml.rels Extracted files from sample: https://2hell.nl/follina/poc.html!
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49173 version: TLS 1.2
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Source: global traffic DNS query: name: 2hell.nl
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlIf-Modified-Since: Mon, 30 May 2022 19:35:11 GMTIf-None-Match: "1a76-5e03fc121ca9b"Connection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr, ~WRS{908054AA-4410-45BE-A60F-B0BC543AE3BB}.tmp.0.dr String found in binary or memory: https://2hell.nl/follina/poc.html
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr String found in binary or memory: https://2hell.nl/follina/poc.htmlyX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DD68104-9F74-4147-BF67-D8C1A9A331E2}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: 2hell.nl
Source: global traffic HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlIf-Modified-Since: Mon, 30 May 2022 19:35:11 GMTIf-None-Match: "1a76-5e03fc121ca9b"Connection: Keep-Alive
Source: unknown HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49173 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: document.xml.rels, type: SAMPLE Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Yara signature match
Source: sslproxydump.pcap, type: PCAP Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: sslproxydump.pcap, type: PCAP Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: fHER4lglqY.docx Virustotal: Detection: 25%
Source: fHER4lglqY.docx Metadefender: Detection: 22%
Source: fHER4lglqY.docx ReversingLabs: Detection: 48%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: fHER4lglqY.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\fHER4lglqY.docx
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ER4lglqY.docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5456.tmp Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winDOCX@1/18@15/1
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: document.xml.rels Extracted files from sample: https://2hell.nl/follina/poc.html!
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 685991 Sample: fHER4lglqY Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 16 2hell.nl 2->16 20 Multi AV Scanner detection for domain / URL 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus detection for URL or domain 2->24 26 6 other signatures 2->26 6 WINWORD.EXE 303 55 2->6         started        signatures3 process4 dnsIp5 18 2hell.nl 178.21.112.152, 443, 49173, 49174 COMPUKOS-ASNL Netherlands 6->18 10 C:\Users\user\AppData\Local\...\4D314135.htm, HTML 6->10 dropped 12 C:\Users\user\AppData\Local\...\3BF80B4F.htm, HTML 6->12 dropped 14 C:\Users\user\AppData\Local\...\poc[1].htm, HTML 6->14 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.21.112.152
 2hell.nl Netherlands
29028 COMPUKOS-ASNL true

Contacted Domains

Name IP Active
2hell.nl 178.21.112.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://2hell.nl/follina/poc.html true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown