Windows
Analysis Report
dl18aYTBo5
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 1216 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
| |
INDICATOR_OLE_RemoteTemplate | Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents | ditekSHen |
|
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Exploits |
---|
Source: | Extracted files from sample: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | LNK file: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 13 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 3 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
20% | Metadefender | Browse | ||
28% | ReversingLabs | Document-Word.Exploit.Heuristic | ||
100% | Avira | W97M/Dldr.Agent.G1 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
raw.githubusercontent.com | 185.199.108.133 | true | true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.199.108.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | true |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 686004 |
Start date and time: | 2022-08-18 03:50:20 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | dl18aYTBo5 (renamed file extension from none to docx) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.expl.evad.winDOCX@1/15@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
- VT rate limit hit for: dl18aYTBo5.docx
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.199.108.133 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
raw.githubusercontent.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
FASTLYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.2891798341270631 |
Encrypted: | false |
SSDEEP: | 96:Ku2LVP/Edg7qsruukLQEzyE5lAmIM6h5RK43fngxZJCa43fngxZJCIH:cCsrBoh3K5M |
MD5: | AED282D47E74B35A963FA967845BEB55 |
SHA1: | 95860C99A86CE925F3FF2847643FEB9D07601E09 |
SHA-256: | 87636D9B14847B13BBCD785071FE01D09428F7E8ABA072BB06225830BCEFA3C4 |
SHA-512: | 4D5ED432A1EED5639C341723B5418CA97343D75C21DC568D981ED5C7FAB0D0E8FB62C8A971B6F66620C5C41D8E5E564E418D14B4F4C835C389881ADEC8AF2832 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DD8BC438-10B7-4304-B5F6-7629BCF1BBBD}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.671583368870765 |
Encrypted: | false |
SSDEEP: | 96:KTnCy+Gl917GyWhudBoG1mu/cN3NSOvFTyNnGv:mn+O9NK8mGfG9btUnGv |
MD5: | 26F11022DF18562138B60C6F037921A8 |
SHA1: | 5B8B9FCD71EFBB596D32EAB2E5450B6A09F42A3E |
SHA-256: | C7DE62732C7A4D01C61155AC93E2CDF8FF277BA66C5E997AFC68C4836B6C1876 |
SHA-512: | 7D9185AD76AC4FCBB8A998149B0760529BF0E32C31D9E7D7D8776BC63A9BE92C81B4D326CE9858916F75F4D8550E3681009501B78EC4C77D84986D44CD2D6F97 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.9145450235130843 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzV8LMFYEHpCRglQ7pYyUaO9H7mL7276:yPblzV8wFhYCQ7pYyUbFKf22 |
MD5: | 7B90472AF641B5E703E37F1B849117D6 |
SHA1: | DBF52B00012494E56117FEF0F777FD7D0945C8EB |
SHA-256: | 7D461C93DFC0C71280E3F2B14C11345DE5BD87C7170C4A7F01F2155335D7543B |
SHA-512: | 81F7C12377FD567C6158D2E5FD5856AEE7754FA565CB320E9957F6D718642A19301F3D0AAD76CEA7A57E0D36FE0129E0CAC245D1A0412F7FC72FCA56DDB6E194 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28761799644723346 |
Encrypted: | false |
SSDEEP: | 24:I3JuC4tB37/AtfJA2jeMFUWTk2n8YpS9ACOie6G9cPlSPl/KJGlFU8dyOJ2Xredk:I38RBzk29416Gus0o1yUErwo4VzKzVH |
MD5: | 0DDF9A2970B1B258F8A6DC09F10A59EB |
SHA1: | 1AC71AA6E71D102B35173A2C1861F4AD58DC521D |
SHA-256: | 9FFBE5DEB13327493B169738A498D95E872AD88E850FE8F54E182892E684D09E |
SHA-512: | 7C73E42854B8DDAD1978B82032AE12AC6B08D7DFC003067887F3D4D53B8EFD53633A518EEAF3568BE581E604CE1D69F8CA25BA25D8D4119886989F60BFA6A2DA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4BE7BDD4-FFEC-446A-AFDD-8DCC2CB50000}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22238376643707547 |
Encrypted: | false |
SSDEEP: | 24:I3L4MfPLwnM0B34P+ga0eQ/51AsnstTMERtr/XEJ4AyKyiJe/R/i5hm8MyYqMyY2:I3ZXUrBX0/A0YJy41hiS8eqe2 |
MD5: | 46C2BB20992B8CE2496F7552C6C2B4E2 |
SHA1: | FC1D835CCA254539EB6DB0E3A86EA21DED1F1CB1 |
SHA-256: | EDDBA564DA065E559E253D85566ACEAD75B7B789DE900EAB15311CA8D3E52A08 |
SHA-512: | FAF1515F5AB321CDB368091B0015FC9B2F5CF38591919CCA61934CF82CEB8B8B201C38EF3D593B35A68D673EDBF885D037B92882BE4D44321346D2E1F2A5365B |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.861913444565715 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzB6lSTzRWZ3IRSYmz8hPKQlPtEljl276:yPblzslST4Z4gRISQd6Z22 |
MD5: | 198CFA2CB15C47E79B48D717F4D03634 |
SHA1: | 1B74293BCEDC94E8965A4536DA7AD0C3AC309852 |
SHA-256: | 9EEBDC29A70138CC5616F631F3141303C6DFBF34812D7805A0D573264D9ED6C0 |
SHA-512: | 8A20F85B6732051D73C3EA662458BF9BBEFA7E057879CCAA0F8ABCC9CDB63E772EED623E919BD39A00AA963A03E49E522BF99FEADDE4B0D852BB893DBAA87F6E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{24DDD834-E6C7-483D-822D-9FEFD1EF961E}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 1.4190225457141796 |
Encrypted: | false |
SSDEEP: | 12:rl3lTpFQUhIc77k4c77k4CIc77k4c77k4CICICb77:rnxl77g77m77g77 |
MD5: | 49805345EC222F9C40DE34EA93D3D9D4 |
SHA1: | 43722C84F1BF1C76DA46EE10E388348CD90FC1CA |
SHA-256: | 2253D7B0AA718135507AE366237E893ADAD147B44C39B130007A9A3486FE2C14 |
SHA-512: | C402E7BE9E8A4C0610E6B59E9965E0CEAB7F5E815BDACB4807564211EC2DBABC63B553E857B80A07481AAF1A706F52BF4CF3F4FE0E8141F4A0BA146B57B1B87D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{40655C52-0542-4D1D-95A6-44AB7A44DEAF}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FEC6DCA0-7354-46DE-A8FC-629874E35853}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.064573888851514 |
Encrypted: | false |
SSDEEP: | 6:olgI5lNcYTIee8c3XlimlcougZkl9AajJMdYB4PxZUtL2mN:4vTIx8c3Xlimlcb4WJcZk |
MD5: | 16983C4674C4429553475D2AE88B4044 |
SHA1: | 749397398EF28AACA48E2F1295EFCDCF49C8804E |
SHA-256: | 2F1D2137E1F5F181D6295D7ADE057DDEB50F43FA5B5C99E8E9559E2AD8FA3B56 |
SHA-512: | 6EDA1C367C1F28D4EDE0EBD9C675A4D1B0DC18AD3607398EBF6306FD2A45C47FC427E6E3F5FB7817E4387CCF40D118E5277B3CD85EA9F38510109C7C09B81CEA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025492164821171715 |
Encrypted: | false |
SSDEEP: | 6:I3DPcdH0FvxggLR2ajt/5SpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPycVjmvYg3J/ |
MD5: | C321B22B28157B83D97EC320A2279932 |
SHA1: | 0218F9A13568E812E90219318BB8869426985F95 |
SHA-256: | E6CC4B63B5471AA996CAEEFE102323A54DA38F5340FDC20E3B60B0D20F346350 |
SHA-512: | 7880CF4C296FB1629BB668A196C4CB04AEDC9227FA446357FE4605CDBAD6853EE4F93700C91052C631A1800E5840950E98EA7B8DBF6785C2D74AFA3C7677F496 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025708761401932248 |
Encrypted: | false |
SSDEEP: | 6:I3DPcM/UxFvxggLRpXKbswN6/3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPcp4YwCvYg3J/ |
MD5: | 732D631679C87125581E7C89CFF8C256 |
SHA1: | 0EBF386158D24CEF051FA7E1A088C98B56795738 |
SHA-256: | 50CD773653EA7A75E511AA6CB16273AB4D520D2FCA90F821002439FB4086C5CE |
SHA-512: | 22E4DEBEB39057FEAC8843A4B915D12F195ACE755A255A713A8D0039DE71661381968E7DE1F4CCF4E2DAA4FE5C87E743A97BE1DEF66A1E93D44B6EF523D3F9F6 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1019 |
Entropy (8bit): | 4.5484356470711464 |
Encrypted: | false |
SSDEEP: | 12:8h3580gXg/XAlCPCHaXRBktB/ZABpX+WyFzGjuicvbLKGM54J4NDtZ3YilMMEpxK:8h3mk/XThOcpQ56NevLMQIDv3q5u7D |
MD5: | 43684316804655277257094B01BEEE4E |
SHA1: | 502183CF7142C836D557AFCC92A9E7A6604D68E8 |
SHA-256: | 1D7F597BEA5ADAE9E47C8F3064B5EDA0FEFC1FDA0751D0198E7E060638AE6735 |
SHA-512: | 21B45E003FFBB16ADD86B2A8269620BF9F74E930ABBFC99BDAE2EFB54DC2BE939ED61827AB36E0F1E64EC38E499BC3F94BC76319D48FB36D7C928561B63573D2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 4.721620404569601 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlZ0nLLUmxWK0nLLUv:bCS0L+LC |
MD5: | 78743467AD7B7A7C4AEA7B26F05F0159 |
SHA1: | 1EE278AFB6EAE05D6BAD394AC28A4AC85E36A994 |
SHA-256: | ABD0F630011CFCF4BA855FFF7AF8C5644D09A8F1A424F1EC8D3C0186ECCB6582 |
SHA-512: | DBCB93CE9E7236A91C1BCDF35F7840ABE97FDD5B915E1698A703058F108986C7AC64C7E5276B5D237429F9B146A475BBC9C91C1442BEC56C80A0674AFA7EF448 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l |
MD5: | 7CFA404FD881AF8DF49EA584FE153C61 |
SHA1: | 32D9BF92626B77999E5E44780BF24130F3D23D66 |
SHA-256: | 248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7 |
SHA-512: | F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l |
MD5: | 7CFA404FD881AF8DF49EA584FE153C61 |
SHA1: | 32D9BF92626B77999E5E44780BF24130F3D23D66 |
SHA-256: | 248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7 |
SHA-512: | F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.869840361272895 |
TrID: |
|
File name: | dl18aYTBo5.docx |
File size: | 10190 |
MD5: | b91615355a11f5bb8b7c381a8bc4485a |
SHA1: | 7950b1730e05a2dcdd19f1a98a697798a9edbf77 |
SHA256: | 3fdd30eb0961c98259d58327745ec253588b1553d9822d613d45d076c4b07ec1 |
SHA512: | c8fbe110484db356ff4f67bcad94930b26fab9040a560a5a0d466d5766b2430b64585132048f787f0c7766b12e33ab765d415bd08a5fb7482a12d1da9160a00a |
SSDEEP: | 192:E5VR2DuRkZx41Jlb8VPkf+CFk4v1Y2VveFLC9Fi/CRQIZleDM:EHkZx0lD9+2Vv6aRdleDM |
TLSH: | 73229D3BEAA50DB4C6E69275E0AC1A25C35C06B7F33DF94A349423D812C85DD5BE530C |
File Content Preview: | PK.........C.T...L....'.......[Content_Types].xml...n.0.E....m.NR....,.X...~...`.l.....C ......l....sg..'.m..kp^...Q4d...H..1.X...,.(.......x6..L.;.>.b.c.!...}.A!|d,h.....i.....K,....;....1.R.M'O..U....^WF.....Ub....6W.@.....(aM..r..3e....?J(#....7..S...p |
Icon Hash: | e4e6a2a2a4b4b4a4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 03:51:10.470141888 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.470201969 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.470278025 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.484919071 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.484960079 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.535059929 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.535243034 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.551305056 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.551399946 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.551778078 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.551877975 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.826065063 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852339029 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852479935 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852515936 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852602005 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852612972 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852631092 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852715969 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852730989 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852812052 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852824926 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.852900982 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.852915049 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853101015 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853199959 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853224993 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853241920 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853260994 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853307009 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853318930 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853382111 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853393078 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853451014 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853463888 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853545904 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853558064 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853617907 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853631973 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853689909 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853702068 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853780985 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853796005 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853857040 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853871107 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.853933096 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.853950024 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854020119 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854032993 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854093075 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854106903 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854167938 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854178905 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854254961 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854268074 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854326963 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854343891 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854352951 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854372025 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854377985 CEST | 443 | 49171 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:10.854424953 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:10.854479074 CEST | 49171 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.855664968 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.855707884 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.855793953 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.856117010 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.856132984 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.893364906 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.893438101 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.904609919 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.929476023 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.929582119 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.954840899 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.954922915 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.954951048 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955022097 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955034018 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955050945 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955094099 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955112934 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955132961 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955157995 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955171108 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955182076 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955188036 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955218077 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955234051 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955235958 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955246925 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955281019 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955291033 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955297947 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955310106 CEST | 443 | 49172 | 185.199.108.133 | 192.168.2.22 |
Aug 18, 2022 03:51:16.955344915 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955380917 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955451965 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Aug 18, 2022 03:51:16.955471992 CEST | 49172 | 443 | 192.168.2.22 | 185.199.108.133 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 18, 2022 03:51:10.438461065 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 18, 2022 03:51:10.456965923 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 18, 2022 03:51:10.438461065 CEST | 192.168.2.22 | 8.8.8.8 | 0xca88 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 18, 2022 03:51:10.456965923 CEST | 8.8.8.8 | 192.168.2.22 | 0xca88 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 03:51:10.456965923 CEST | 8.8.8.8 | 192.168.2.22 | 0xca88 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 03:51:10.456965923 CEST | 8.8.8.8 | 192.168.2.22 | 0xca88 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | ||
Aug 18, 2022 03:51:10.456965923 CEST | 8.8.8.8 | 192.168.2.22 | 0xca88 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49171 | 185.199.108.133 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-18 01:51:10 UTC | 0 | OUT | |
2022-08-18 01:51:10 UTC | 0 | IN | |
2022-08-18 01:51:10 UTC | 0 | IN | |
2022-08-18 01:51:10 UTC | 0 | IN | |
2022-08-18 01:51:10 UTC | 2 | IN | |
2022-08-18 01:51:10 UTC | 3 | IN | |
2022-08-18 01:51:10 UTC | 3 | IN | |
2022-08-18 01:51:10 UTC | 3 | IN | |
2022-08-18 01:51:10 UTC | 4 | IN | |
2022-08-18 01:51:10 UTC | 4 | IN | |
2022-08-18 01:51:10 UTC | 4 | IN | |
2022-08-18 01:51:10 UTC | 5 | IN | |
2022-08-18 01:51:10 UTC | 7 | IN | |
2022-08-18 01:51:10 UTC | 7 | IN | |
2022-08-18 01:51:10 UTC | 7 | IN | |
2022-08-18 01:51:10 UTC | 8 | IN | |
2022-08-18 01:51:10 UTC | 8 | IN | |
2022-08-18 01:51:10 UTC | 8 | IN | |
2022-08-18 01:51:10 UTC | 9 | IN | |
2022-08-18 01:51:10 UTC | 9 | IN | |
2022-08-18 01:51:10 UTC | 9 | IN | |
2022-08-18 01:51:10 UTC | 11 | IN | |
2022-08-18 01:51:10 UTC | 11 | IN | |
2022-08-18 01:51:10 UTC | 11 | IN | |
2022-08-18 01:51:10 UTC | 12 | IN | |
2022-08-18 01:51:10 UTC | 12 | IN | |
2022-08-18 01:51:10 UTC | 12 | IN | |
2022-08-18 01:51:10 UTC | 13 | IN | |
2022-08-18 01:51:10 UTC | 13 | IN | |
2022-08-18 01:51:10 UTC | 13 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49172 | 185.199.108.133 | 443 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-18 01:51:16 UTC | 15 | OUT | |
2022-08-18 01:51:16 UTC | 15 | IN | |
2022-08-18 01:51:16 UTC | 16 | IN | |
2022-08-18 01:51:16 UTC | 16 | IN | |
2022-08-18 01:51:16 UTC | 17 | IN | |
2022-08-18 01:51:16 UTC | 17 | IN | |
2022-08-18 01:51:16 UTC | 17 | IN | |
2022-08-18 01:51:16 UTC | 18 | IN | |
2022-08-18 01:51:16 UTC | 19 | IN | |
2022-08-18 01:51:16 UTC | 21 | IN | |
2022-08-18 01:51:16 UTC | 22 | IN | |
2022-08-18 01:51:16 UTC | 23 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 03:51:10 |
Start date: | 18/08/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f9f0000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |