Windows
Analysis Report
v4nkfHg4d9.doc
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 1480 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WordXMLRels_May22 | Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard, Wojciech Cieslak |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Encoded_Discord_Attachment_Oct21_1 | Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Encoded_Discord_Attachment_Oct21_1 | Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
SUSP_Encoded_Discord_Attachment_Oct21_1 | Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
Click to see the 11 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Extracted files from sample: |
Source: | File opened: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | FTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | LNK file: |
Source: | OLE indicator, Word Document stream: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | 1 Exfiltration Over Alternative Protocol | 1 Non-Standard Port | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 11 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | ReversingLabs | Document-Office.Exploit.CVE-2021-40444 | ||
38% | Virustotal | Browse | ||
100% | Avira | HEUR/CVE-2021-40444.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | JS/CVE-2022-30190.G | ||
100% | Avira | JS/CVE-2022-30190.G | ||
100% | Avira | JS/CVE-2022-30190.G | ||
100% | Avira | JS/CVE-2022-30190.G |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ftpupload.net | 185.27.134.11 | true | true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.27.134.11 | ftpupload.net | United Kingdom | 34119 | WILDCARD-ASWildcardUKLimitedGB | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 706117 |
Start date and time: | 2022-09-20 12:01:09 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | v4nkfHg4d9.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.expl.evad.winDOC@1/17@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Report size getting too big, too many NtQueryAttributesFile calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.27.134.11 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
WILDCARD-ASWildcardUKLimitedGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28751929512551705 |
Encrypted: | false |
SSDEEP: | 96:KTL9HXA6UpXS9Qz/3Skwll6S919It919InH:o+W63Xwll/GlGH |
MD5: | A727C052A38A7C763B0785526ED1B7E3 |
SHA1: | 1F514A52E24467E821012B63946BEDC97E8AAD12 |
SHA-256: | BBB2F36AD0F51F64C42464A98F234029360B21B4311A0D9EA4023761D420464A |
SHA-512: | 16BFC123F23CC45D8C8D81643D8FBD4C6F8C8AA363397DFEA4464FCD8D1FEC23D4D6C77CEE7938E0E61C5893EB2E0C14A7E45B4B195D5615662B5207E97DE5EB |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{54DDC164-6977-4037-8CE0-7B33C8A8D8B0}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.67186940405612 |
Encrypted: | false |
SSDEEP: | 96:KnCy03dnrUA9k16eCYrFoGl57sskQskfDcjteIs66d+seU+seOv+seA+se:k0tnARsxGl+Ust2G/bj |
MD5: | B74B882A7C46E06F3B86F790784D4740 |
SHA1: | DEF77CAA5E9C7990736C5D9B550E00F42949DF4E |
SHA-256: | 7F1956BADEBB62F2FD77E64E3C4DFDB1974905995B692A2D8D9C192A4429B21A |
SHA-512: | 284F70D070E53176E949D89E89EFA3FFC570152C192A75E42C4C032EC5A4FD70F3BBEF7D9CB20691568B2EE3CED46426C05EFA7DC22119E3D7EA535D2B95FE79 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.961797847617582 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzqhlKKtacaqSalSgPILW82L10jl276:yPblzuK0acHSJi8JZ22 |
MD5: | E232829DF073F686551349641EEBD8F4 |
SHA1: | 6A1E938BBFA2D6F1B1D6BE995DF084FA51B4A010 |
SHA-256: | C19042A7992FF203C5379CFA25A637008B29FD15D8C2497D05E3412F3E9C48FC |
SHA-512: | DB9929F0DE0C73B8D7D6080BCAD545EF1C0A223A182FAC773CF870C6D02723238A62442B1F7CC03E02208DDBC149CA804D0A7C17FB0B2C3899FEA61A895CDFFC |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.28766421715530094 |
Encrypted: | false |
SSDEEP: | 48:I3nQQ2RBx+UuDijr9UdjAo29jpHEYsydHFHKdQHHrIHNIYh7bbTLYKmN19gCc/ER:KsLMi+26hOH |
MD5: | 924923199F7CCC8A48ED70C554C4A338 |
SHA1: | 8C754C1F80F1F7C0B0B307D6E0D19BD294942AA6 |
SHA-256: | D4327CD44C91AE99D24507E21253AB462E1A04F72E70ADB03F96B07852757352 |
SHA-512: | 4CC5E79736F614AC3414211ED6DBE96BAD7CBA722C6396121B0B13FE07EABB74BA30EDCEC46D7FE20FD38F1A11ACCF447A212F697BC6B58B765CCE04AC00CAC5 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1657AA85-2CA3-4A47-A452-C920236DEB83}.FSD
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.22092018959874407 |
Encrypted: | false |
SSDEEP: | 48:I3xaC/TUrBFw6ljMEljYwoMElR8XNRwy//pTk:Kxr7CFwoMEljYfMElzT |
MD5: | 6E59514B7DB74AD1BF8E7B0763337037 |
SHA1: | 998B465BB422FA8E46BB6F5F5DC4AED7F5AF6292 |
SHA-256: | 2586FE3FEC8B42F79C2327E0C3CCD46E3BADA6FC548FB1125AC8CBA35D646CB9 |
SHA-512: | 24593F8D3E2699859A4F568DF26E568E8D7603F7BA34F050E12BA81A938EC806CE81A2DFA819CFA514F48703FD7A366C1C2AC8C1955F4BCEE81EF2E0EFA43329 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 114 |
Entropy (8bit): | 3.996885566915828 |
Encrypted: | false |
SSDEEP: | 3:yVlgsRlzIKlSls8KSN0sXaYIaDwCNPXMlilECjl276:yPblz9IapSSajFclilEg22 |
MD5: | 57103CCAC28859AEB2D05CF5C8F90FA7 |
SHA1: | 3DDB59D6C50F9F696E5F67F59498607BBCE12C9D |
SHA-256: | 5F8058A4F381EA14D0C80CC3F25B15E433AA58D9DEA92050A467CA5B1584F74D |
SHA-512: | 0D7E6CFCC2311B341F76242B865333FF3DA5CD9C1313DFC0B78AF876354C4217988E53989B4B78E75085679D27AB770E8484C98FADF56FA542FBBB521C7A1FA5 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\a[1].html
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6827 |
Entropy (8bit): | 1.4956688509182383 |
Encrypted: | false |
SSDEEP: | 24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G |
MD5: | 9D5D3D22DB816F7E84026BA1FCD97BB7 |
SHA1: | 0A3C8D913D481AD880FD127E2E05763D2CAA29BC |
SHA-256: | 1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85 |
SHA-512: | 6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a[1].html
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6827 |
Entropy (8bit): | 1.4956688509182383 |
Encrypted: | false |
SSDEEP: | 24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G |
MD5: | 9D5D3D22DB816F7E84026BA1FCD97BB7 |
SHA1: | 0A3C8D913D481AD880FD127E2E05763D2CAA29BC |
SHA-256: | 1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85 |
SHA-512: | 6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16ADE517.html
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6827 |
Entropy (8bit): | 1.4956688509182383 |
Encrypted: | false |
SSDEEP: | 24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G |
MD5: | 9D5D3D22DB816F7E84026BA1FCD97BB7 |
SHA1: | 0A3C8D913D481AD880FD127E2E05763D2CAA29BC |
SHA-256: | 1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85 |
SHA-512: | 6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81D0D9EE.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 31667 |
Entropy (8bit): | 7.606296058205636 |
Encrypted: | false |
SSDEEP: | 768:gyyyyyyyy7bb9/5B6TXBUvTF1k2K/m+p0i:gyyyyyyyy7bb9/5sLMmmMD |
MD5: | 6C06A8618F116BB542677F04FA34E954 |
SHA1: | 7EB1BC6B098104C2827AADE763798AE0B0343A86 |
SHA-256: | 618E441E2019C655AE1E777C38B96FBA72CD569CE26DE877539295B5161FFE84 |
SHA-512: | 491B75818B466A00B9A04B64BA0065AE638F01D35FC3DF342090E3268B7508C9B6F712F4EDA9DE533036E4819B0A2D21BDA6E8B893D78E7DE84CA08FDBDC09AA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF5ACC2C.html
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6827 |
Entropy (8bit): | 1.4956688509182383 |
Encrypted: | false |
SSDEEP: | 24:0WUe43dlK8PkikLnPKZ2kSAf9cJuQL34S0VMG:0WUe43dnUPyNTSj4S3G |
MD5: | 9D5D3D22DB816F7E84026BA1FCD97BB7 |
SHA1: | 0A3C8D913D481AD880FD127E2E05763D2CAA29BC |
SHA-256: | 1BEB27F9276EB6FC726824CC1809399EA57A9CEF66BD020E797E95C061DDFF85 |
SHA-512: | 6BB8FF659FCDDF99CBBAB16F116C99DE2D45339AB04F40D413407922657CED3C5601970129A8318FD9A6F1DE84D3B94615F9F1D64B61F02F3CFF2CCC64EC7C60 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02564177450496716 |
Encrypted: | false |
SSDEEP: | 6:I3DPc3JXZxFvxggLRffPp/RbrxpRXv//4tfnRujlw//+GtluJ/eRuj:I3DPEpbzf5tFHvYg3J/ |
MD5: | 34ED425A319F10AF32C8DF7CAB8FFAE1 |
SHA1: | E2E609947E3744DF6D55FCE68FC05A2AA61C976D |
SHA-256: | 04BF4CD67A10ECC41EC60B64E78F97F81453F4513151CA6263267B3B10179942 |
SHA-512: | 09AA833CAE66DF5ED02924632C363DC1631A1ABE7A6AA4B735B61FA80813588F8358EDC8757DF0A7946A5F95ACC7A049938D3C2D6E813FF7BE3269AD6D5AA4C8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.025522874805431084 |
Encrypted: | false |
SSDEEP: | 6:I3DPcu2MzTVvxggLRQUlVyg2XtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpbTZsoYVvYg3J/ |
MD5: | 82376414F37A7716D2B1ECEDE9D273D2 |
SHA1: | 98EE3B38525F05BA0DF69F87B146543B1ED703A1 |
SHA-256: | 8437DBC0FDD171BC1111EF831F2A7D71D40F2B40790431C5A6708A3D08B13D1B |
SHA-512: | 981A7E9DD78414B5524457606B35107DA59F96C6627B3621AED029913792E3ACFF2285E0C9B4CB6D4E67C5935A053376BC2440E7CB6A41CAD6C7D17C1DC1557A |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 71 |
Entropy (8bit): | 4.7517417537838185 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlLTwjomX1dhwjov:bCATwjnwjy |
MD5: | 25D7B5D6D6086847396CCCDADCA6C87C |
SHA1: | 162AB026FAB5A2DC042B0E28A7C95E8586F4150B |
SHA-256: | 0A585BE0F2682A21AC65E72D7E2243996FF2D339CBF7381F73A141886FD893AC |
SHA-512: | 0346058E240E405B86D3AC8BB5FC6A5B4FB33BC4E6D2FDB72E451C036724BD0A3F0C76658B002E46E99784EC7E8B9C65117B14C3989979A71904113173C42DA6 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1014 |
Entropy (8bit): | 4.571524158318932 |
Encrypted: | false |
SSDEEP: | 12:8SuB/1zFgXg/XAlCPCHaXNBQtB/SxXX+W3fcfY5i6vDuicvb8odvD+DtZ3YilMMw:8SuD//XT9SUEZCJehiDv3qEu7D |
MD5: | 4BD4BE241A945CBA7C698EF148E07406 |
SHA1: | F1FE545BCE5F19932BF5A61FAB2739415EAB951C |
SHA-256: | C8B54A2C821B444583AB000AACE311D61D46E6C531B489E154E5079251356E54 |
SHA-512: | ECC3852A0F4FCC2231D9AD8E68FCDD5AF1D157F68A815666B671056DBC7C8FA5BA15F31345E5E78F867DE4E089D86031224E8BDEB0FA31741427C1FB4E7C09FD |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707525 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll |
MD5: | D9C8F93ADB8834E5883B5A8AAAC0D8D9 |
SHA1: | 23684CCAA587C442181A92E722E15A685B2407B1 |
SHA-256: | 116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11 |
SHA-512: | 7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.78474754382263 |
TrID: |
|
File name: | v4nkfHg4d9.doc |
File size: | 77319 |
MD5: | cbc307d6059925e9abbdbdec4d9ec0c1 |
SHA1: | 8f0fc563f43cc1422b523a21f01858e031761e5f |
SHA256: | 8d61ea9ef38b6e7b36f466299223ad43339080d3a9914059c88ca3dd6be5cd32 |
SHA512: | 58d4ef2537a7afaa1f37787f2c40e3084c19ccd350216c691ce9296b18d2864c2286176413ada7d53a350a9a98e2eab6b660a2af74b921d271e0fe3c1c60201f |
SSDEEP: | 1536:86yyyyyyyy7bb9/5sLMmmMBIBEgMFBuvfve6046kHOUZgfCG5934Si:Vbh585IBm5IhZtGyR |
TLSH: | 8E73D01ED251C677F2270A34AA962C4FA1680EB29814DE6579EB709F9393F700FB1DC1 |
File Content Preview: | PK..........!.R(G]t...........[Content_Types].xml ...(......................................................................................................................................................................................................... |
Icon Hash: | e4eea2aaa4b4b4a4 |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Title: | |
Subject: | |
Author: | |
Keywords: | |
Template: | |
Last Saved By: | |
Revion Number: | 1 |
Total Edit Time: | 0 |
Create Time: | 2022-09-14T21:33:00Z |
Last Saved Time: | 2022-09-14T21:35:00Z |
Number of Pages: | 1 |
Number of Words: | 3 |
Number of Characters: | 24 |
Creating Application: | |
Security: | 0 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0000 |
General | |
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 77 |
Entropy: | 2.954779533874008 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
File Type: | data |
Stream Size: | 20 |
Entropy: | 0.8475846798245739 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole10Native |
File Type: | data |
Stream Size: | 2224196 |
Entropy: | 2.717138672565793 |
Base64 Encoded: | False |
Data ASCII: | @ ! . B M 6 ! . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 40 f0 21 00 42 4d 36 f0 21 00 00 00 00 00 36 00 00 00 28 00 00 00 d4 02 00 00 00 04 00 00 01 00 18 00 00 00 00 00 00 f0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
General | |
Stream Path: | \x3ObjInfo |
File Type: | data |
Stream Size: | 6 |
Entropy: | 1.2516291673878228 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . |
Data Raw: | 00 00 03 00 04 00 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 20, 2022 12:02:10.696459055 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.742836952 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.742918968 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.791011095 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.791162968 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.792032003 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.837688923 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.837728024 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.837802887 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.838289976 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.910141945 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.910326004 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.936786890 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:10.984545946 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:10.984663010 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.032004118 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.032083035 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.033051968 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.080388069 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.080477953 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.080568075 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.080775023 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.150372982 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.150564909 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.151166916 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.200845003 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.201036930 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.202518940 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.248918056 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.249136925 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.249938011 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.295718908 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.295818090 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.296056032 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.341979027 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.342092037 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.342463970 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.388988972 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389071941 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389091969 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389117002 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389137983 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389185905 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389205933 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389231920 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389252901 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389292955 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389305115 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389333010 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389352083 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389389038 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389400005 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389429092 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:11.389446020 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:11.389486074 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.444097996 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.490041018 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.490206003 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.490854979 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.536734104 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.536968946 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.540354013 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.586121082 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.586226940 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.587541103 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.633366108 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.633512020 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.635066986 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.680747032 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.680932999 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.681423903 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.728256941 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.728455067 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.729652882 CEST | 49181 | 18657 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.733166933 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.775399923 CEST | 18657 | 49181 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.778943062 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.779099941 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.826597929 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.826807976 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.827395916 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.873198032 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.873446941 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:15.873541117 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.873877048 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:15.959799051 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:18.971479893 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:18.971641064 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:18.971755028 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.017976046 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.018204927 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.022921085 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.023060083 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.616050959 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.662720919 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.662802935 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.670332909 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.716695070 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.716806889 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.717375040 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.763015985 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.763107061 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.763428926 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.813055992 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.813225985 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.872776985 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948721886 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948775053 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948802948 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948812008 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948832989 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948832989 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948863983 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948867083 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948885918 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948906898 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948919058 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948923111 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948932886 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:19.948960066 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:19.948973894 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.380220890 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.426716089 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.426924944 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.427117109 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.474080086 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.474724054 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.474771023 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.521704912 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.521862030 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.522870064 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.570864916 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.571019888 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.580239058 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.628501892 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.628606081 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.628993034 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.676326990 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.676578999 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.678829908 CEST | 49184 | 30008 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.681394100 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.724914074 CEST | 30008 | 49184 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.728101015 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.728266954 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.777198076 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.777391911 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.777734041 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.823724031 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.823898077 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:20.824001074 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.824271917 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:20.910762072 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:26.714620113 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:26.714818954 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:26.714895010 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:26.762840033 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:26.762882948 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:02:26.762926102 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:02:26.762974977 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:03:20.018928051 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:03:20.019193888 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:03:20.019964933 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:03:20.020062923 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:03:20.775015116 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:03:20.775221109 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Sep 20, 2022 12:03:20.775736094 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 |
Sep 20, 2022 12:03:20.775816917 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 20, 2022 12:02:10.660922050 CEST | 59915 | 53 | 192.168.2.22 | 8.8.8.8 |
Sep 20, 2022 12:02:10.681641102 CEST | 53 | 59915 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 20, 2022 12:02:10.660922050 CEST | 192.168.2.22 | 8.8.8.8 | 0xfc65 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 20, 2022 12:02:10.681641102 CEST | 8.8.8.8 | 192.168.2.22 | 0xfc65 | No error (0) | 185.27.134.11 | A (IP address) | IN (0x0001) | false |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Sep 20, 2022 12:02:10.791011095 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 380 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity. |
Sep 20, 2022 12:02:10.792032003 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | USER epiz_32594997 |
Sep 20, 2022 12:02:10.837728024 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 331 User epiz_32594997 OK. Password required |
Sep 20, 2022 12:02:10.838289976 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | PASS FKmeEtIWDg |
Sep 20, 2022 12:02:10.910141945 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 230-Your bandwidth usage is restricted 230-Your bandwidth usage is restricted230 OK. Current restricted directory is / |
Sep 20, 2022 12:02:11.032004118 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 379 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity. |
Sep 20, 2022 12:02:11.033051968 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | USER epiz_32594997 |
Sep 20, 2022 12:02:11.080477953 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 331 User epiz_32594997 OK. Password required |
Sep 20, 2022 12:02:11.080775023 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | PASS FKmeEtIWDg |
Sep 20, 2022 12:02:11.150372982 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 230-Your bandwidth usage is restricted 230-Your bandwidth usage is restricted230 OK. Current restricted directory is / |
Sep 20, 2022 12:02:11.151166916 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | TYPE I |
Sep 20, 2022 12:02:11.200845003 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 200 TYPE is now 8-bit binary |
Sep 20, 2022 12:02:11.202518940 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | PASV |
Sep 20, 2022 12:02:11.248918056 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 227 Entering Passive Mode (185,27,134,11,72,225) |
Sep 20, 2022 12:02:11.341979027 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 213 6827 |
Sep 20, 2022 12:02:11.342463970 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | RETR /htdocs/a.html |
Sep 20, 2022 12:02:11.388988972 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 150-Accepted data connection 150-Accepted data connection150 6.7 kbytes to download |
Sep 20, 2022 12:02:11.389252901 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 226-File successfully transferred 226-File successfully transferred226 0.000 seconds (measured here), 52.92 Mbytes per second |
Sep 20, 2022 12:02:15.444097996 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | CWD /htdocs/ |
Sep 20, 2022 12:02:15.490041018 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 250 OK. Current directory is /htdocs |
Sep 20, 2022 12:02:15.490854979 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | PWD |
Sep 20, 2022 12:02:15.536734104 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 257 "/htdocs" is your current location |
Sep 20, 2022 12:02:15.540354013 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | TYPE A |
Sep 20, 2022 12:02:15.586121082 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 200 TYPE is now ASCII |
Sep 20, 2022 12:02:15.587541103 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | PORT 192,168,2,22,192,30 |
Sep 20, 2022 12:02:15.633366108 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43) |
Sep 20, 2022 12:02:15.680747032 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 500 Unknown command |
Sep 20, 2022 12:02:15.681423903 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | CWD /htdocs/ |
Sep 20, 2022 12:02:15.728256941 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 250 OK. Current directory is /htdocs |
Sep 20, 2022 12:02:15.826597929 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 376 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity. |
Sep 20, 2022 12:02:15.827395916 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 | USER anonymous |
Sep 20, 2022 12:02:15.873446941 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 | 331 User anonymous OK. Password required |
Sep 20, 2022 12:02:15.873877048 CEST | 49183 | 21 | 192.168.2.22 | 185.27.134.11 | PASS User@ |
Sep 20, 2022 12:02:18.971479893 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 | 530 Login authentication failed |
Sep 20, 2022 12:02:19.017976046 CEST | 21 | 49183 | 185.27.134.11 | 192.168.2.22 | 530 Logout. |
Sep 20, 2022 12:02:19.616050959 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | TYPE I |
Sep 20, 2022 12:02:19.662720919 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 200 TYPE is now 8-bit binary |
Sep 20, 2022 12:02:19.670332909 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | PASV |
Sep 20, 2022 12:02:19.716695070 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 227 Entering Passive Mode (185,27,134,11,117,56) |
Sep 20, 2022 12:02:19.813055992 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 213 6827 |
Sep 20, 2022 12:02:19.872776985 CEST | 49180 | 21 | 192.168.2.22 | 185.27.134.11 | RETR /htdocs/a.html |
Sep 20, 2022 12:02:19.948721886 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 150-Accepted data connection 150-Accepted data connection150 6.7 kbytes to download |
Sep 20, 2022 12:02:19.948932886 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 226-File successfully transferred 226-File successfully transferred226 0.000 seconds (measured here), 48.59 Mbytes per second |
Sep 20, 2022 12:02:20.380220890 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | CWD /htdocs/ |
Sep 20, 2022 12:02:20.426716089 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 250 OK. Current directory is /htdocs |
Sep 20, 2022 12:02:20.427117109 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | PWD |
Sep 20, 2022 12:02:20.474080086 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 257 "/htdocs" is your current location |
Sep 20, 2022 12:02:20.474771023 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | TYPE A |
Sep 20, 2022 12:02:20.521704912 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 200 TYPE is now ASCII |
Sep 20, 2022 12:02:20.522870064 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | PORT 192,168,2,22,192,33 |
Sep 20, 2022 12:02:20.570864916 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 500 I won't open a connection to 192.168.2.22 (only to 84.17.52.43) |
Sep 20, 2022 12:02:20.628501892 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 500 Unknown command |
Sep 20, 2022 12:02:20.628993034 CEST | 49179 | 21 | 192.168.2.22 | 185.27.134.11 | CWD /htdocs/ |
Sep 20, 2022 12:02:20.676326990 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 250 OK. Current directory is /htdocs |
Sep 20, 2022 12:02:20.777198076 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 345 of 6900 allowed.220-Local time is now 05:31. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 60 seconds of inactivity. |
Sep 20, 2022 12:02:20.777734041 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 | USER anonymous |
Sep 20, 2022 12:02:20.823898077 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 | 331 User anonymous OK. Password required |
Sep 20, 2022 12:02:20.824271917 CEST | 49186 | 21 | 192.168.2.22 | 185.27.134.11 | PASS User@ |
Sep 20, 2022 12:02:26.714620113 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 | 530 Login authentication failed |
Sep 20, 2022 12:02:26.762840033 CEST | 21 | 49186 | 185.27.134.11 | 192.168.2.22 | 530 Logout. |
Sep 20, 2022 12:03:20.018928051 CEST | 21 | 49180 | 185.27.134.11 | 192.168.2.22 | 421 Timeout - try typing a little faster next time |
Sep 20, 2022 12:03:20.775015116 CEST | 21 | 49179 | 185.27.134.11 | 192.168.2.22 | 421 Timeout - try typing a little faster next time |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 12:01:17 |
Start date: | 20/09/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fc20000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |