Windows
Analysis Report
PO-070-2024 EXW.docx
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- WINWORD.EXE (PID: 3520 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- cleanup
Source: | Author: X__Junior (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Click to jump to signature section
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Word Document stream: | ||
Source: | OLE indicator, Word Document stream: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | LNK file: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | File opened: | Jump to behavior |
Source: | Extracted files from sample: |
Source: | Section loaded: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Stream path '_1789543103/Package' entropy: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Exploitation for Client Execution | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 3 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 14 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 4 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
stylite.io | 213.183.76.22 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown | ||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
213.183.76.22 | stylite.io | Germany | 15945 | PFALZKOM-NETKoschatplatz1DE | true | |
213.183.76.21 | unknown | Germany | 15945 | PFALZKOM-NETKoschatplatz1DE | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1525993 |
Start date and time: | 2024-10-04 16:31:01 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | PO-070-2024 EXW.docx |
Detection: | MAL |
Classification: | mal56.evad.winDOCX@1/16@7/2 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: PO-070-2024 EXW.docx
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
213.183.76.22 | Get hash | malicious | Remcos | Browse | ||
Get hash | malicious | Snake Keylogger | Browse | |||
213.183.76.21 | Get hash | malicious | Remcos | Browse | ||
Get hash | malicious | Snake Keylogger | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
stylite.io | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PFALZKOM-NETKoschatplatz1DE | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Moobot | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
PFALZKOM-NETKoschatplatz1DE | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Moobot | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
05af1f5ca1b87cc9cc9b25185115607d | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02573908657392288 |
Encrypted: | false |
SSDEEP: | 6:I3DPcVQJBaWvxggLRJcUy6OssDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPEQbmKOss1vYg3J/ |
MD5: | E4721111BF3701C41F9098F89A0F94B0 |
SHA1: | B2236F1BF555541FACFADD8B63772AAE1FF4274A |
SHA-256: | A368586B6B3E1A0C13015704837FC6E398ED82EDE911B6F6B60985361DCB47C2 |
SHA-512: | 5DF3170D1749E96FA92845E618B6C7A59B2D8397BA959254BDCE1EB58549CDD58E259D42CB902C5117C38C7FEFB05C9F451062183B221E5008199C44D0EDD7BB |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1DB59C6B.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 484160 |
Entropy (8bit): | 3.8864316104704324 |
Encrypted: | false |
SSDEEP: | 1536:6lGUVs3QKMY4ELH5RQVKTT1HXxlUL7z5likIUvIfxT0kPrS2:ZLZRQVGB4fj2 |
MD5: | A61798BF257485BAA37AD0863DFDA9C6 |
SHA1: | 6356E87D0D93FD7DAAF225AF3DFCCA27705A2717 |
SHA-256: | 1AE272725C8CC33D6CA16533E9BFE2B91885C1F8926F13D8F3475192174BFA54 |
SHA-512: | E1FBE16E09A75D6C1A98F9EC9224350214B0E34EC0049870CAE03D90CF78BE5FFF3ECE69E4149729DF6F731D0E7630A64C800DFCA63EF06A862D512C30E3FC68 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5345CD92.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1256732 |
Entropy (8bit): | 3.82589372392918 |
Encrypted: | false |
SSDEEP: | 12288:c3t3bECFzKzjLBMc0GtIRabD8R1AZJBa5jB7gOaOG/:cBACi8BiJK+d |
MD5: | 082E8FBE73D98FD6C861150EF1FC0905 |
SHA1: | C91ECCF6C9A73B74D9D1442EB72A8D6F650EDC64 |
SHA-256: | 574EF96FEF6B764D4047BB2D714AB5D753EC81E87BC9F5AD1526DB74446E3B13 |
SHA-512: | AFEE4534199071801E19AE9D8E57B396989746E3F9D7081337B85B4B2108625849364BD04AFBA41261CC731BD54A83D8269A5EF74EE1878B157628C34240E751 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0410895.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 7388 |
Entropy (8bit): | 3.4978769133855403 |
Encrypted: | false |
SSDEEP: | 48:JI37fPfjYzJSEfNjyyeffffffffffffffffffffffVa7FyltyzzlYYqEVPq6Bl6N:O3TWGy9B6YkyJiEf1U0i |
MD5: | 7E1524EDF040EB5EDBD1BED6E70730B4 |
SHA1: | 1C8B74CE483139667E3C99CFDEFD780B6CC83C96 |
SHA-256: | AED73DE15274C7EFD791BE09A2DD14579E49B567958A54EAFC39AA7CDA0F1F81 |
SHA-512: | 2A8497100334680D6CCF7A8C353F3796D6B158337645B735914B1C8520B5664069E4B062DAA9D76452C8517B3FFC9785A1E0FA5A5747DB9C75C98BD8BDA203AC |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D9F34C1E-4854-4139-A8B6-41A439905E70}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 258048 |
Entropy (8bit): | 7.83885305146706 |
Encrypted: | false |
SSDEEP: | 6144:MlNJQEA/8vLYjE7yeVDxHg9VImcfl7CTjQQm:aJNQU9XHgrImckAQm |
MD5: | D6CD67EE581035CF9DA53E872FD9A874 |
SHA1: | 650B06F1BCCFD095AE536F8777634E4447FB4DC2 |
SHA-256: | 40B6F94A4398E71D513EFBCB0F028C60F7E639550FF4C6577EA679B390A98A4D |
SHA-512: | C2EBB8C50964D94F963D6EEBCF6B2C2B4375754FF3D642C2CFA390328F4D05043AF67E03718E8E193AF605FBC13BFB3E25BA12BBB93887DC1A7E70904F5679F6 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{537E1DDC-F469-4035-8F88-E4CF06BBC501}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 2.9224663475921906 |
Encrypted: | false |
SSDEEP: | 24:9naGMCleK+KslMb8jjHl+8HLHr9Dryn/n:9dSl48jjHl+AVa/ |
MD5: | 48209ABC7CBA4D3C6666C7E52CEE5D37 |
SHA1: | EBA07D8797F60AAB19A8EDD7C6A8029E754E2F5F |
SHA-256: | 0EF88EB7F39465C30420CE0B8CD740893DE4FCE3870E06CE57249514CB051623 |
SHA-512: | 72DA5775CFE0E7FC961D5600E0BB3FA860CBF10E558738730CB414EF96FA52503029B7CBD72076AEDB22331F856837D2524E35EB1FE3CA241B8400206AB39B40 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5D7766F-BCC3-4F8D-B0D1-2EF8DB43D0A9}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02573908657392288 |
Encrypted: | false |
SSDEEP: | 6:I3DPcVQJBaWvxggLRJcUy6OssDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPEQbmKOss1vYg3J/ |
MD5: | E4721111BF3701C41F9098F89A0F94B0 |
SHA1: | B2236F1BF555541FACFADD8B63772AAE1FF4274A |
SHA-256: | A368586B6B3E1A0C13015704837FC6E398ED82EDE911B6F6B60985361DCB47C2 |
SHA-512: | 5DF3170D1749E96FA92845E618B6C7A59B2D8397BA959254BDCE1EB58549CDD58E259D42CB902C5117C38C7FEFB05C9F451062183B221E5008199C44D0EDD7BB |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.02570204774814565 |
Encrypted: | false |
SSDEEP: | 6:I3DPcpn9ZqR5HvxggLR/oNvfFRXv//4tfnRujlw//+GtluJ/eRuj:I3DP4n9ZqfPTmXbvYg3J/ |
MD5: | A3D260F83F1E423E566B4B052795FCA1 |
SHA1: | 6EDAB22F727894D4967F065DBCDF6AEE44B56344 |
SHA-256: | 00A58D7E247D468E3E83EBB01990E001D156C6BA4EAA455FB7F9F3611525D42A |
SHA-512: | 45C8A6B565025F86B3D8C501C2F6D4F6681C56CCCAE27897463B329DBD5F7F6C726729309199E67BE5A164B56F22468DA82F6C6F9D7AA3075E98B61A9BC44FD2 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1044 |
Entropy (8bit): | 4.523489311449114 |
Encrypted: | false |
SSDEEP: | 12:8z57LSK6hgXg/XAlCPCHaXeIBO1B/VoX+WByfHc8MhSTkicvbz/dl2mNDtZ3Yiln:8t7rS/XTOI41M/y0STePPdDv3qwti57u |
MD5: | 6817927283F3F900076A5B6DEC58A4EE |
SHA1: | A513EEA8B4ACB07CA742EC217D3FDF631E472938 |
SHA-256: | 0F9FEC1316F55E41A1FD76F812B80E3145E7508E7CAFF45F30730E7344877FFD |
SHA-512: | 552564ED282138D15B4FFE8A2FA44D490B998D56A4A20A627E617F892D40FBC27FD034E3862E11EC6C60D6AF0833ED61825A799B8C4341849A0B15D8F304B25D |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 65 |
Entropy (8bit): | 4.6685216591823 |
Encrypted: | false |
SSDEEP: | 3:H+MVItj/pulm4YPVItj/pulv:Hc/AGK/A1 |
MD5: | 69A8027DD969F55C758F182BEF5CF96B |
SHA1: | D31483783E488E663779755B43C39F91C8852AC3 |
SHA-256: | 0EF79362195421BAE0520ACE450D8A335B5F19EE0C35930674D482F29284AF8D |
SHA-512: | D7F59D6C04808BE7B0DB197A4658D2062DF758FF2C2561C7855F9F08147EDBF254146D447DDE94A779492DC136CEC321AB06C6878B221A4EFB22018A215C1176 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707526 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVybAyaHgdWM2qFfln:vdsCkWt4aAB9l |
MD5: | 0242FE15C357E1F4F690389FA2A5D79D |
SHA1: | A45B5C025BF4B6F9CD21A65AE6FFA6EB99BD46AC |
SHA-256: | 4FEB171EECBB41AC06DA90CFD42C190C3FFC40A8187406C1AE8D4EFE5BEE0162 |
SHA-512: | 605CEDA901D869E1E562947187FEE88B1A95A47F9E06D3C144895D16A7DF25AE41E54702A88840C67D4374479D068182DBD851536937BB66004A8162F01645BB |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 529558 |
Entropy (8bit): | 7.955947071682177 |
Encrypted: | false |
SSDEEP: | 12288:VmckAQmgQU9XHgrdg6KUONqta0GCSSFhaGPONT+srQ4E8VM:VmckL5QUur2QONqg0GQM53iIM |
MD5: | 3397DE5A24FF54A1CEB764ED1BADC838 |
SHA1: | 61391537626A672FA2268892FE22CDB155DFF52A |
SHA-256: | B1897F18A913A629F13ECD7707D3A5FABA65DB0A5FAD440C2C19D8A71D6AF42C |
SHA-512: | 1131B4053EA406B6569E54C60A0AC729CFAB895C5CDDD8EFFB326786905519EDF636336E902050251B8A93022CB29C518F0C58206223626B73DF378FBD529932 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.503835550707526 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVybAyaHgdWM2qFfln:vdsCkWt4aAB9l |
MD5: | 0242FE15C357E1F4F690389FA2A5D79D |
SHA1: | A45B5C025BF4B6F9CD21A65AE6FFA6EB99BD46AC |
SHA-256: | 4FEB171EECBB41AC06DA90CFD42C190C3FFC40A8187406C1AE8D4EFE5BEE0162 |
SHA-512: | 605CEDA901D869E1E562947187FEE88B1A95A47F9E06D3C144895D16A7DF25AE41E54702A88840C67D4374479D068182DBD851536937BB66004A8162F01645BB |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 529558 |
Entropy (8bit): | 7.955947071682177 |
Encrypted: | false |
SSDEEP: | 12288:VmckAQmgQU9XHgrdg6KUONqta0GCSSFhaGPONT+srQ4E8VM:VmckL5QUur2QONqg0GQM53iIM |
MD5: | 3397DE5A24FF54A1CEB764ED1BADC838 |
SHA1: | 61391537626A672FA2268892FE22CDB155DFF52A |
SHA-256: | B1897F18A913A629F13ECD7707D3A5FABA65DB0A5FAD440C2C19D8A71D6AF42C |
SHA-512: | 1131B4053EA406B6569E54C60A0AC729CFAB895C5CDDD8EFFB326786905519EDF636336E902050251B8A93022CB29C518F0C58206223626B73DF378FBD529932 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.99374264934029 |
TrID: |
|
File name: | PO-070-2024 EXW.docx |
File size: | 458'184 bytes |
MD5: | ec393bad7364db40b4fb1d07a654ec54 |
SHA1: | b51e6d26528e3667e87c29672dec312a6f4d7a90 |
SHA256: | b36248f2e24e6ac7fa34c51336c87b0564f566bf37e4f80010ecffc0baf77986 |
SHA512: | 884a96308b7fa83f47db4006fe0c5ca8ce92143f534447826ed5f43efcaef6cefd1592b56fdbd02248df7080f3ca0b51d3f72886564dad95b24aec51e2c93e79 |
SSDEEP: | 12288:GMY4Eg5/Y+vnfrYbCGGmdq/c2KoTQkBaJhR+6EiXyC:GlBwL3rYbCGGyyLKcd8JhxEiXyC |
TLSH: | 7DA423E5F44C2C655E85083E05159E14B3AFDF9FC0071AAF3779092AE9A684EEF580CE |
File Content Preview: | PK........&.CY...k....'.......[Content_Types].xmlUT......f...f...f.V.n.0....?......(..r.].M...@.#.-E..Ib.}..c.A"9u._$..............._.y5..x....Z...V~....F....[@q.|.nq.....=..%...D.B....<G..:E...2*.[.A^.f.....SI.C,.7l Y...J.]u.#.C2...| ...D...e.Z.......|.. |
Icon Hash: | 65e6a3a3afb7bdbf |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Title: | |
Subject: | |
Author: | 91974 |
Keywords: | |
Template: | |
Last Saved By: | 91974 |
Revion Number: | 2 |
Total Edit Time: | 2 |
Create Time: | 2024-10-03T12:13:00Z |
Last Saved Time: | 2024-10-03T12:15:00Z |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 0 |
Creating Application: | |
Security: | 0 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1Ole10Native |
CLSID: | |
File Type: | data |
Stream Size: | 50644 |
Entropy: | 7.724951216605807 |
Base64 Encoded: | True |
Data ASCII: | . . . . 0 0 5 0 0 _ 8 0 0 9 _ 1 7 7 7 _ 2 4 _ 2 5 . p d f . C : \\ U s e r s \\ 9 1 9 7 4 \\ O n e D r i v e \\ D e s k t o p \\ W o r d F i l e \\ N E W F I L E S \\ 0 0 5 0 0 _ 8 0 0 9 _ 1 7 7 7 _ 2 4 _ 2 5 . p d f . . . . . < . . . C : \\ U s e r s \\ 9 1 9 7 4 \\ A p p D a t a \\ L o c a l \\ T e m p \\ 0 0 5 0 0 _ 8 0 0 9 _ 1 7 7 7 _ 2 4 _ 2 5 . p d f . . . % P D F - 1 . 3 . % . . 1 0 o b j . < < . / T y p e / P a g e . / M e d i a B o x [ 0 0 5 9 4 . 3 6 8 4 0 . 6 0 ] . / C r o p B o x [ 0 0 5 |
Data Raw: | d0 c5 00 00 02 00 30 30 35 30 30 5f 38 30 30 39 5f 31 37 37 37 5f 32 34 5f 32 35 2e 70 64 66 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 37 34 5c 4f 6e 65 44 72 69 76 65 5c 44 65 73 6b 74 6f 70 5c 57 6f 72 64 46 69 6c 65 5c 4e 45 57 46 49 4c 45 53 5c 30 30 35 30 30 5f 38 30 30 39 5f 31 37 37 37 5f 32 34 5f 32 35 2e 70 64 66 00 00 00 03 00 3c 00 00 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 |
General | |
Stream Path: | \x3ObjInfo |
CLSID: | |
File Type: | data |
Stream Size: | 6 |
Entropy: | 1.2516291673878228 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . |
Data Raw: | 00 00 03 00 0d 00 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 4, 2024 16:32:17.079583883 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:17.079638004 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:17.079698086 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:17.085063934 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:17.085077047 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:17.944055080 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:17.944134951 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:17.950207949 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:17.950220108 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:17.950668097 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:17.950720072 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.082678080 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.127403975 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:18.275810003 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:18.275892973 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:18.275949001 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.276355982 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.281133890 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.281162024 CEST | 443 | 49161 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:18.281174898 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.281213999 CEST | 49161 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:18.868993998 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:18.869045019 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:18.869118929 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:18.869616032 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:18.869637966 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:19.734695911 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:19.734836102 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:19.739082098 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:19.739094019 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:19.739545107 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:19.746021986 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:19.787412882 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.015954971 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.016032934 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.016098022 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.016168118 CEST | 49162 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.016189098 CEST | 443 | 49162 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.018182039 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.018224001 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.018275023 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.018481016 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.018488884 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.847182035 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.848875999 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.848903894 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:20.849580050 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:20.849585056 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:21.122380018 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:21.122466087 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:21.122585058 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:21.122647047 CEST | 49163 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:21.122669935 CEST | 443 | 49163 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:24.401870012 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:24.401913881 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:24.402013063 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:24.402627945 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:24.402646065 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.250042915 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.250210047 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:25.254211903 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:25.254221916 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.254527092 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.270648956 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:25.311418056 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.527854919 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.528026104 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.528090954 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:25.528170109 CEST | 49164 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:25.528189898 CEST | 443 | 49164 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:25.918452978 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:25.918502092 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:25.918800116 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:25.919276953 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:25.919289112 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:26.764673948 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:26.764822006 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:26.770452976 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:26.770472050 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:26.770776987 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:26.773542881 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:26.819405079 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.040249109 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.040333986 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.040803909 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.074502945 CEST | 49165 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.074541092 CEST | 443 | 49165 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.086997032 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.087047100 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.087125063 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.087409019 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.087424040 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.912971973 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.913439035 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.913455009 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:27.914093971 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:27.914100885 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:28.197087049 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:28.197160006 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:28.197267056 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:28.198507071 CEST | 49166 | 443 | 192.168.2.22 | 213.183.76.21 |
Oct 4, 2024 16:32:28.198527098 CEST | 443 | 49166 | 213.183.76.21 | 192.168.2.22 |
Oct 4, 2024 16:32:28.234616995 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:28.234662056 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:28.234738111 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:28.235024929 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:28.235044003 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.086785078 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.088686943 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.090430021 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.090455055 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.091896057 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.091917038 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.364873886 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.364964962 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.365016937 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.365223885 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.365861893 CEST | 49167 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.365884066 CEST | 443 | 49167 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.366663933 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.366697073 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:29.366755009 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.367058992 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:29.367074966 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.211733103 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.211853981 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.215343952 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.215356112 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.216748953 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.216770887 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497659922 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497725964 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497771978 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497791052 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.497807026 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497819901 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.497819901 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.497848988 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.497855902 CEST | 443 | 49168 | 213.183.76.22 | 192.168.2.22 |
Oct 4, 2024 16:32:30.497895956 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.498173952 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Oct 4, 2024 16:32:30.498195887 CEST | 49168 | 443 | 192.168.2.22 | 213.183.76.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 4, 2024 16:32:17.036381960 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:17.076277971 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:18.839365959 CEST | 52917 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:18.851174116 CEST | 53 | 52917 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:18.853276968 CEST | 62751 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:18.868464947 CEST | 53 | 62751 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:24.385238886 CEST | 57893 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:24.392152071 CEST | 53 | 57893 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:24.393754005 CEST | 54821 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:24.401473045 CEST | 53 | 54821 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:25.900036097 CEST | 54719 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:25.907402992 CEST | 53 | 54719 | 8.8.8.8 | 192.168.2.22 |
Oct 4, 2024 16:32:25.908814907 CEST | 49881 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 4, 2024 16:32:25.916390896 CEST | 53 | 49881 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 4, 2024 16:32:17.036381960 CEST | 192.168.2.22 | 8.8.8.8 | 0xebec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:18.839365959 CEST | 192.168.2.22 | 8.8.8.8 | 0x5258 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:18.853276968 CEST | 192.168.2.22 | 8.8.8.8 | 0x313d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:24.385238886 CEST | 192.168.2.22 | 8.8.8.8 | 0x1100 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:24.393754005 CEST | 192.168.2.22 | 8.8.8.8 | 0x2664 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:25.900036097 CEST | 192.168.2.22 | 8.8.8.8 | 0xd97e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 4, 2024 16:32:25.908814907 CEST | 192.168.2.22 | 8.8.8.8 | 0x9c5b | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 4, 2024 16:32:17.076277971 CEST | 8.8.8.8 | 192.168.2.22 | 0xebec | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:17.076277971 CEST | 8.8.8.8 | 192.168.2.22 | 0xebec | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:18.851174116 CEST | 8.8.8.8 | 192.168.2.22 | 0x5258 | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:18.851174116 CEST | 8.8.8.8 | 192.168.2.22 | 0x5258 | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:18.868464947 CEST | 8.8.8.8 | 192.168.2.22 | 0x313d | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:18.868464947 CEST | 8.8.8.8 | 192.168.2.22 | 0x313d | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:24.392152071 CEST | 8.8.8.8 | 192.168.2.22 | 0x1100 | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:24.392152071 CEST | 8.8.8.8 | 192.168.2.22 | 0x1100 | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:24.401473045 CEST | 8.8.8.8 | 192.168.2.22 | 0x2664 | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:24.401473045 CEST | 8.8.8.8 | 192.168.2.22 | 0x2664 | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:25.907402992 CEST | 8.8.8.8 | 192.168.2.22 | 0xd97e | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:25.907402992 CEST | 8.8.8.8 | 192.168.2.22 | 0xd97e | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:25.916390896 CEST | 8.8.8.8 | 192.168.2.22 | 0x9c5b | No error (0) | 213.183.76.21 | A (IP address) | IN (0x0001) | false | ||
Oct 4, 2024 16:32:25.916390896 CEST | 8.8.8.8 | 192.168.2.22 | 0x9c5b | No error (0) | 213.183.76.22 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49161 | 213.183.76.22 | 443 | 3520 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:18 UTC | 132 | OUT | |
2024-10-04 14:32:18 UTC | 408 | IN | |
2024-10-04 14:32:18 UTC | 8 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.22 | 49162 | 213.183.76.21 | 443 | 3520 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:19 UTC | 115 | OUT | |
2024-10-04 14:32:20 UTC | 397 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.22 | 49163 | 213.183.76.21 | 443 | 3520 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:20 UTC | 114 | OUT | |
2024-10-04 14:32:21 UTC | 448 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
3 | 192.168.2.22 | 49164 | 213.183.76.22 | 443 |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:25 UTC | 127 | OUT | |
2024-10-04 14:32:25 UTC | 408 | IN | |
2024-10-04 14:32:25 UTC | 8 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
4 | 192.168.2.22 | 49165 | 213.183.76.21 | 443 |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:26 UTC | 157 | OUT | |
2024-10-04 14:32:27 UTC | 404 | IN | |
2024-10-04 14:32:27 UTC | 144 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
5 | 192.168.2.22 | 49166 | 213.183.76.21 | 443 |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:27 UTC | 157 | OUT | |
2024-10-04 14:32:28 UTC | 404 | IN | |
2024-10-04 14:32:28 UTC | 144 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.22 | 49167 | 213.183.76.22 | 443 | 3520 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:29 UTC | 345 | OUT | |
2024-10-04 14:32:29 UTC | 385 | IN | |
2024-10-04 14:32:29 UTC | 38 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.22 | 49168 | 213.183.76.22 | 443 | 3520 | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-04 14:32:30 UTC | 344 | OUT | |
2024-10-04 14:32:30 UTC | 442 | IN | |
2024-10-04 14:32:30 UTC | 2372 | IN | |
2024-10-04 14:32:30 UTC | 1724 | IN | |
2024-10-04 14:32:30 UTC | 557 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 1 |
Start time: | 10:32:06 |
Start date: | 04/10/2024 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f4c0000 |
File size: | 1'423'704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |