Edit tour

Windows Analysis Report
20220714 DWG.doc

Overview

General Information

Sample Name:	20220714 DWG.doc
Analysis ID:	665041
MD5:	5fd0deaaca6ac9645ba3e9aa8af3311c
SHA1:	4823c45cde3606a5189462a8c4441686706d04f3
SHA256:	b78c36823ab0b86b683d165e53405855b8e910c5011997e5a4a4620200cffc0a
Tags:	doc
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Potential document exploit detected (performs HTTP gets)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2192 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipLast-Modified: Thu, 14 Jul 2022 16:59:59 GMTAccept-Ranges: bytesETag: "80119226a397d81:0"Vary: Accept-EncodingServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:19:28 GMTContent-Length: 4357Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bc 5a 7b 77 da c8 92 ff 7f ce 99 ef a0 70 f7 1e 4c 02 08 49 3c 84 6d bc 27 f1 23 f1 ac f3 18 db 49 26 ce e6 78 5b 52 0b 34 16 6a 5d a9 65 4c b2 f9 ee 5b d5 dd 12 02 04 38 73 37 c3 b1 0c 52 77 d7 ab ab 7e 55 d5 70 f8 c4 63 2e 9f c7 54 9b f0 69 78 f4 eb 2f 87 f8 ae 85 24 1a 8f 6a 34 aa e1 93 27 ad d6 af bf 68 f0 7a cd bc c0 0f a8 a7 f9 09 9b 6a 7c 42 b5 13 ea 04 24 d2 58 12 8c 83 88 84 9a cf 12 ed bd 93 45 3c 93 2b 2e 48 ca b5 2c f6 08 a7 de be 66 76 8c 7e cb 30 5a 46 5f 8e 5e 51 ba 0f 7c 79 9c ee eb 7a 48 b2 c8 9d c4 c4 6b 47 94 eb 4e 36 4e 75 c3 b4 ed fe b0 83 93 5b ad 23 7c 3b 9c 50 e2 1d c9 d5 87 53 ca 89 58 de a2 ff ca 82 fb 51 ed 98 45 9c 46 bc 75 0d fa d4 34 57 de 8d 6a 9c 3e 70 1d d5 3a d0 dc 09 49 52 ca 47 ef af cf 5a 76 4d d3 73 52 3c e0 21 3d 7a 1e 13 77 42 4d a5 01 28 e7 93 2c e4 da 3b 32 06 39 cf b9 36 63 c9 5d 7a a8 cb c9 6a 65 ca e7 21 d5 d0 82 8a 91 9b a6 35 6d 4a bd 80 8c 6a a9 9b 50 69 44 4d 7b aa 7d 93 4b a6 24 01 63 ed 6b 9d f8 a1 7c 1d c8 51 30 80 17 44 e3 ea e1 ef bf fe 82 6f 0e f3 e6 4d b1 61 39 cd 62 95 05 b3 4b d7 81 5c 00 4b 88 7b 37 4e 58 16 79 2d 97 85 2c d9 d7 fe 71 62 9f bc 38 35 8b 19 3e 98 ab e5 93 69 10 ce f7 b5 0f 34 f1 48 44 9a 5a 4a a2 b4 95 d2 24 f0 0f 4a d3 d2 e0 2b 58 c4 30 62 ae 9e a2 e6 2d 12 06 63 d0 cb 05 a3 d3 a4 2c af 17 dc b7 a7 24 88 6e 63 b0 64 21 32 4b 03 1e 30 58 90 d0 90 f0 e0 9e 2a 5a 5e 90 c6 21 01 21 38 71 42 5a c8 37 0b 3c 3e d9 d7 ec 4e a7 a4 96 b4 65 cb 61 9c b3 e9 be d2 b8 34 10 52 9f ef 6b 24 e3 6c f9 39 f8 eb 64 79 60 8b dd 95 05 59 e2 d1 a4 a5 c4 30 0b 4e ea 79 6e 55 d3 30 07 96 bd 3c 26 7c 64 5f 4b 59 18 78 db 76 e4 4c bc 8a 19 bb 8d 8a f6 bc c5 90 a0 49 6e d6 09 95 aa 0d 87 85 84 4a 64 a3 d3 f9 e7 56 ee bd b3 fe d9 60 1b 8b 34 86 58 5f f1 62 a3 57 b2 57 af 6c b0 b2 a7 d8 82 75 f1 74 a6 84 74 58 e8 6d 63 18 4c c7 ab fc ac 12 bb ee fa fe ec 6f 8a 19 24 2d 1c ea 96 f9 b7 0a 1a d2 9c b8 1b 52 02 4b d1 5b 16 ae 05 6e 92 6f 76 85 cf fd 50 a8 6d d9 58 c5 73 bb 9c b7 01 a7 d3 6d c2 56 6d 71 2e 67 77 93 43 ef 94 33 7f dc 11 af 83 7f 4b 78 b2 ba 91 fd 92 58 fd f5 bd 52 ab 6f 53 ea 22 4a 54 b9 c1 cf 31 fe 0a e3 5b 9c bf 06 b3 68 53 1b 3d 50 be 6f b7 58 39 10 3a 2a 10 76 31 8c 13 ba aa b2 ad 8c 65 57 e7 0b 5b 0d d9 2b 22 2d e3 96 b1 8a 5b 0a 9b 3c 40 50 ea 55 43 5a a1 cc 6e e8 28 2b 2c 09 07 1c 6c ed 3e 4e e7 65 8d 0b 54 df ed 1d 72 7d 16 36 37 0f 86 c1 d6 4d 34 2a 98 e4 eb 97 01 76 29 d5 f6 95 0b f6 b7 bb a0 7d 3a 3c 7e 61 ae 79 49 e1 99 9b 81 71 25 e1 9a ff ac 88 c2 ea dc b0 2c fd 6d 02 65 db b7 8d 02 1e 9f 98 46 f7 6c 07 89 71 42 e7 5b 68 0c cf 86 96 dd 2f d3 68 fb 21 83 cc 1e 8d 6f 69 48 a7 20 e5 ce dc 2f 16 fc 18 ae 34 b7 fa 44 01 3b c2 60 1e 75 59 42 24 e7 88 45 f4 b1 39 69 13 ef fd 30 8

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.237.18

Source: global traffic	HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.141.237.18Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Glomet.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 45.141.237.18If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMTIf-None-Match: "80119226a397d81:0"Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /icons/ubuntu-logo.png HTTP/1.1Accept: /Referer: http://45.141.237.18/Glomet.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.141.237.18Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Fri, 15 Jul 2022 13:19:30 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 7

Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr, ~WRS{2D922950-B6AB-4AD8-83F9-D5771B48C810}.tmp.0.dr	String found in binary or memory: http://45.141.237.18/Glomet.html
Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr	String found in binary or memory: http://45.141.237.18/Glomet.htmlyX
Source: 72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	String found in binary or memory: http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
Source: 72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: 72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	String found in binary or memory: https://launchpad.net/bugs/1288690

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45930AE1-8162-4D9A-BE35-4DB39144DF11}.tmp

Jump to behavior

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: enable editing" to view content ~ 0 ~ 0 4~~ - m gm " . ~ ~ m~ ~ Wp 0 0 mb ~ "
Source: Document image extraction number: 1	Screenshot OCR: enable editing" to view content wm .~ ~ - D m
Source: Screenshot number: 12	Screenshot OCR: enable editing" to view content , ii:, ^ Cl m ~ "" au":,g

Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR696C.tmp

Jump to behavior

Source: classification engine

Classification label: mal48.winDOC@1/19@0/1

Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 20220714 DWG.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\20220714 DWG.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$220714 DWG.doc

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: ~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	3 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	13 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
20220714 DWG.doc	3%	Virustotal		Browse
20220714 DWG.doc	5%	ReversingLabs

Source	Detection	Scanner	Label
http://45.141.237.18/Glomet.html	0%	Avira URL Cloud	safe
http://45.141.237.18/icons/ubuntu-logo.png	0%	Avira URL Cloud	safe
http://45.141.237.18/Glomet.htmlyX	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://45.141.237.18/Glomet.html	false	Avira URL Cloud: safe	unknown
http://45.141.237.18/icons/ubuntu-logo.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bugs.launchpad.net/ubuntu/	72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	false		high
https://launchpad.net/bugs/1288690	72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	false		high
http://45.141.237.18/Glomet.htmlyX	~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://httpd.apache.org/docs/2.4/mod/mod_userdir.html	72919526.htm.0.dr, 2264EBF3.htm.0.dr, Glomet[1].htm.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.141.237.18	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	665041
Start date and time: 15/07/202215:18:18	2022-07-15 15:18:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	20220714 DWG.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winDOC@1/19@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28965469895696927
Encrypted:	false
SSDEEP:	96:K4LecPgew6P30Hz1UVdk2uZWEjSyEjSzH:LXJPkudoZWEeyEeT
MD5:	277267540FDF0D1B99E9188FB2F4AC22
SHA1:	B53317142E93AC66F9A19426E48E570ED7DECA35
SHA-256:	3CECE60648C77360036E21BA3E098B4C4C7A5F0927903A639C8ECCDBE824BEFA
SHA-512:	3F5480252AECB12D656BA5B2E703356706A39544F6C80F36B443435AF3265F2C7D53C3D6C974AA575541BEE64AA971BBC53113193C2B48FA58CE5F8004F49CDB
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zi..+...C....?...S,...X.F...Fa.q.............................l%...K...}^.{........\|.:.e>.A.W...1...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.965614028395722
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	20220714 DWG.doc
File size:	952586
MD5:	5fd0deaaca6ac9645ba3e9aa8af3311c
SHA1:	4823c45cde3606a5189462a8c4441686706d04f3
SHA256:	b78c36823ab0b86b683d165e53405855b8e910c5011997e5a4a4620200cffc0a
SHA512:	f437de0000c2b6aa2c42c9d750b723385da1bf0bce22f2008116392a12a7d168cc8bdf5065fd232889087512ef321a20578e5c4fdb24cd08a5ebf33d31167e1d
SSDEEP:	24576:i1yg5B+jHQ89ihbudaSMcKdth3ut3w7mM4nnl:iJzQQ8U4fwdqtb3l
TLSH:	D51512C5B9A69E8AC3D297318F7DD8005F3BB5734188142EF5C2E65834C7AD6CA53B22
File Content Preview:	PK........o..T................[Content_Types].xml<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.openxmlformats-offi

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2022 15:19:13.933880091 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:13.967565060 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:13.967688084 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:13.968219995 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:14.012202978 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:14.012552977 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:20.354476929 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:20.383788109 CEST	80	49174	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:20.383899927 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:20.384120941 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:20.414019108 CEST	80	49174	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:20.619471073 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:24.419188023 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:24.449227095 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:24.449409962 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:24.449606895 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:24.478595018 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:24.674953938 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:25.366034985 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:25.406409979 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:25.406445980 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:25.406594038 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.025697947 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.054836988 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.054872036 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.054991961 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.092247963 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.122186899 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.122217894 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.122235060 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.122250080 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.122273922 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.122318029 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.316083908 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.350343943 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.350541115 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.560153008 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.595098972 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.595221996 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.633358955 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:28.665504932 CEST	80	49174	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:28.872771978 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:29.605073929 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:29.633644104 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:29.633677959 CEST	80	49175	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:29.633810997 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:29.633948088 CEST	49175	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.537292004 CEST	49176	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.580712080 CEST	80	49176	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.580872059 CEST	49176	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.580990076 CEST	49176	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.611392975 CEST	80	49176	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.611435890 CEST	80	49176	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.611593962 CEST	49176	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.624536037 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.661703110 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.661853075 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.673917055 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.701828957 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.701967001 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.899557114 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:30.933026075 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:30.933279037 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:31.042346954 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:19:31.075503111 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:31.075603008 CEST	80	49173	45.141.237.18	192.168.2.22
Jul 15, 2022 15:19:31.075840950 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:20:30.950697899 CEST	49174	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:20:36.697803020 CEST	49173	80	192.168.2.22	45.141.237.18
Jul 15, 2022 15:21:24.432647943 CEST	49176	80	192.168.2.22	45.141.237.18

Timestamp	kBytes transferred	Direction	Data
Jul 15, 2022 15:19:13.968219995 CEST	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 45.141.237.18 Content-Length: 0 Connection: Keep-Alive
Jul 15, 2022 15:19:14.012202978 CEST	0	IN	HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/10.0 Public: OPTIONS, TRACE, GET, HEAD, POST Date: Fri, 15 Jul 2022 13:19:13 GMT Content-Length: 0
Jul 15, 2022 15:19:28.092247963 CEST	6	OUT	GET /Glomet.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 45.141.237.18 Connection: Keep-Alive
Jul 15, 2022 15:19:28.122186899 CEST	7	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Encoding: gzip Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "80119226a397d81:0" Vary: Accept-Encoding Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:28 GMT Content-Length: 4357 Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bc 5a 7b 77 da c8 92 ff 7f ce 99 ef a0 70 f7 1e 4c 02 08 49 3c 84 6d bc 27 f1 23 f1 ac f3 18 db 49 26 ce e6 78 5b 52 0b 34 16 6a 5d a9 65 4c b2 f9 ee 5b d5 dd 12 02 04 38 73 37 c3 b1 0c 52 77 d7 ab ab 7e 55 d5 70 f8 c4 63 2e 9f c7 54 9b f0 69 78 f4 eb 2f 87 f8 ae 85 24 1a 8f 6a 34 aa e1 93 27 ad d6 af bf 68 f0 7a cd bc c0 0f a8 a7 f9 09 9b 6a 7c 42 b5 13 ea 04 24 d2 58 12 8c 83 88 84 9a cf 12 ed bd 93 45 3c 93 2b 2e 48 ca b5 2c f6 08 a7 de be 66 76 8c 7e cb 30 5a 46 5f 8e 5e 51 ba 0f 7c 79 9c ee eb 7a 48 b2 c8 9d c4 c4 6b 47 94 eb 4e 36 4e 75 c3 b4 ed fe b0 83 93 5b ad 23 7c 3b 9c 50 e2 1d c9 d5 87 53 ca 89 58 de a2 ff ca 82 fb 51 ed 98 45 9c 46 bc 75 0d fa d4 34 57 de 8d 6a 9c 3e 70 1d d5 3a d0 dc 09 49 52 ca 47 ef af cf 5a 76 4d d3 73 52 3c e0 21 3d 7a 1e 13 77 42 4d a5 01 28 e7 93 2c e4 da 3b 32 06 39 cf b9 36 63 c9 5d 7a a8 cb c9 6a 65 ca e7 21 d5 d0 82 8a 91 9b a6 35 6d 4a bd 80 8c 6a a9 9b 50 69 44 4d 7b aa 7d 93 4b a6 24 01 63 ed 6b 9d f8 a1 7c 1d c8 51 30 80 17 44 e3 ea e1 ef bf fe 82 6f 0e f3 e6 4d b1 61 39 cd 62 95 05 b3 4b d7 81 5c 00 4b 88 7b 37 4e 58 16 79 2d 97 85 2c d9 d7 fe 71 62 9f bc 38 35 8b 19 3e 98 ab e5 93 69 10 ce f7 b5 0f 34 f1 48 44 9a 5a 4a a2 b4 95 d2 24 f0 0f 4a d3 d2 e0 2b 58 c4 30 62 ae 9e a2 e6 2d 12 06 63 d0 cb 05 a3 d3 a4 2c af 17 dc b7 a7 24 88 6e 63 b0 64 21 32 4b 03 1e 30 58 90 d0 90 f0 e0 9e 2a 5a 5e 90 c6 21 01 21 38 71 42 5a c8 37 0b 3c 3e d9 d7 ec 4e a7 a4 96 b4 65 cb 61 9c b3 e9 be d2 b8 34 10 52 9f ef 6b 24 e3 6c f9 39 f8 eb 64 79 60 8b dd 95 05 59 e2 d1 a4 a5 c4 30 0b 4e ea 79 6e 55 d3 30 07 96 bd 3c 26 7c 64 5f 4b 59 18 78 db 76 e4 4c bc 8a 19 bb 8d 8a f6 bc c5 90 a0 49 6e d6 09 95 aa 0d 87 85 84 4a 64 a3 d3 f9 e7 56 ee bd b3 fe d9 60 1b 8b 34 86 58 5f f1 62 a3 57 b2 57 af 6c b0 b2 a7 d8 82 75 f1 74 a6 84 74 58 e8 6d 63 18 4c c7 ab fc ac 12 bb ee fa fe ec 6f 8a 19 24 2d 1c ea 96 f9 b7 0a 1a d2 9c b8 1b 52 02 4b d1 5b 16 ae 05 6e 92 6f 76 85 cf fd 50 a8 6d d9 58 c5 73 bb 9c b7 01 a7 d3 6d c2 56 6d 71 2e 67 77 93 43 ef 94 33 7f dc 11 af 83 7f 4b 78 b2 ba 91 fd 92 58 fd f5 bd 52 ab 6f 53 ea 22 4a 54 b9 c1 cf 31 fe 0a e3 5b 9c bf 06 b3 68 53 1b 3d 50 be 6f b7 58 39 10 3a 2a 10 76 31 8c 13 ba aa b2 ad 8c 65 57 e7 0b 5b 0d d9 2b 22 2d e3 96 b1 8a 5b 0a 9b 3c 40 50 ea 55 43 5a a1 cc 6e e8 28 2b 2c 09 07 1c 6c ed 3e 4e e7 65 8d 0b 54 df ed 1d 72 7d 16 36 37 0f 86 c1 d6 4d 34 2a 98 e4 eb 97 01 76 29 d5 f6 95 0b f6 b7 bb a0 7d 3a 3c 7e 61 ae 79 49 e1 99 9b 81 71 25 e1 9a ff ac 88 c2 ea dc b0 2c fd 6d 02 65 db b7 8d 02 1e 9f 98 46 f7 6c 07 89 71 42 e7 5b 68 0c cf 86 96 dd 2f d3 68 fb 21 83 cc 1e 8d 6f 69 48 a7 20 e5 ce dc 2f 16 fc 18 ae 34 b7 fa 44 01 3b c2 60 1e 75 59 42 24 e7 88 45 f4 b1 39 69 13 ef fd 30 88 ee 9a 3b 67 dd 07 a0 2e f5 76 4f 24 2e da a2 00 fa 75 30 79 8c 4c 13 76 bf f0 d6 8a 7d 5a 09 e7 0a 67 dc 15 68 2b 7a 6f 98 53 d6 7a db bc 65 a5 ab 0a d5 e3 93 b3 d3 fe 36 8c dd 2d f0 5f 34 4a c1 7a 89 c7 3d 04 1e b4 34 4c 11 fc ae 5a 01 5d 40 9e ec 53 f4 a2 51 39 c4 6a 3d ef 16 60 35 e4 6f 92 a6 a3 5a 51 10 d7 d4 e0 f2 70 b9 0c 5a 0d a3 c5 0a 58 83 35 52 9a b8 a3 9a 1e 80 ee a9 9e 89 e6 a5 15 b2 31 6b c7 d1 b8 a6 91 10 7a 20 d5 d2 5c c0 d3 5a ce 62 8d ac 5e a6 2b 8a bd Data Ascii: Z{wpLI<m'#I&x[R4j]eL[8s7Rw~Upc.Tix/$j4'hzj\|B$XE<+.H,fv~0ZF_^Q\|yzHkGN6Nu[#\|;PSXQEFu4Wj>p:IRGZvMsR<!=zwBM(,;296c]zje!5mJjPiDM{}K$ck\|Q0DoMa9bK\K{7NXy-,qb85>i4HDZJ$J+X0b-c,$ncd!2K0XZ^!!8qBZ7<>Nea4Rk$l9dy`Y0NynU0<&\|d_KYxvLInJdV`4X_bWWluttXmcLo$-RK[novPmXsmVmq.gwC3KxXRoS"JT1[hS=PoX9:v1eW[+"-[<@PUCZn(+,l>NeTr}67M4*v)}:<~ayIq%,meFlqB[h/h!oiH /4D;`uYB$E9i0;g.vO$.u0yLv}Zgh+zoSze6-_4Jz=4LZ]@SQ9j=`5oZQpZX5R1kz \Zb^+
Jul 15, 2022 15:19:28.316083908 CEST	11	OUT	HEAD /Glomet.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18 Content-Length: 0 Connection: Keep-Alive
Jul 15, 2022 15:19:28.350343943 CEST	11	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:28 GMT
Jul 15, 2022 15:19:28.560153008 CEST	11	OUT	HEAD /Glomet.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18 Content-Length: 0 Connection: Keep-Alive
Jul 15, 2022 15:19:28.595098972 CEST	11	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:28 GMT
Jul 15, 2022 15:19:30.624536037 CEST	16	OUT	GET /Glomet.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 45.141.237.18 If-Modified-Since: Thu, 14 Jul 2022 16:59:59 GMT If-None-Match: "80119226a397d81:0" Connection: Keep-Alive
Jul 15, 2022 15:19:30.661703110 CEST	16	IN	HTTP/1.1 304 Not Modified Date: Fri, 15 Jul 2022 13:19:30 GMT Etag: "80119226a397d81:0"
Jul 15, 2022 15:19:30.673917055 CEST	17	OUT	HEAD /Glomet.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18 Content-Length: 0 Connection: Keep-Alive
Jul 15, 2022 15:19:30.701828957 CEST	17	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:30 GMT
Jul 15, 2022 15:19:30.899557114 CEST	17	OUT	HEAD /Glomet.html HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18 Content-Length: 0 Connection: Keep-Alive
Jul 15, 2022 15:19:30.933026075 CEST	18	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:30 GMT
Jul 15, 2022 15:19:31.042346954 CEST	18	OUT	GET /icons/ubuntu-logo.png HTTP/1.1 Accept: / Referer: http://45.141.237.18/Glomet.html Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 45.141.237.18 Connection: Keep-Alive
Jul 15, 2022 15:19:31.075503111 CEST	19	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:30 GMT Content-Length: 1245 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 68 33 3e 0d 0a 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>

Timestamp	kBytes transferred	Direction	Data
Jul 15, 2022 15:19:20.384120941 CEST	1	OUT	HEAD /Glomet.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18
Jul 15, 2022 15:19:20.414019108 CEST	1	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:20 GMT
Jul 15, 2022 15:19:28.633358955 CEST	12	OUT	HEAD /Glomet.html HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 45.141.237.18
Jul 15, 2022 15:19:28.665504932 CEST	12	IN	HTTP/1.1 200 OK Content-Length: 13687 Content-Type: text/html Last-Modified: Thu, 14 Jul 2022 16:59:59 GMT Accept-Ranges: bytes ETag: "3136d726a397d81:0" Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:28 GMT

Timestamp	kBytes transferred	Direction	Data
Jul 15, 2022 15:19:24.449606895 CEST	1	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 45.141.237.18
Jul 15, 2022 15:19:24.478595018 CEST	1	IN	HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/10.0 Public: OPTIONS, TRACE, GET, HEAD, POST Date: Fri, 15 Jul 2022 13:19:24 GMT Content-Length: 0
Jul 15, 2022 15:19:25.406409979 CEST	3	IN	HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD, OPTIONS, TRACE Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:24 GMT Content-Length: 1293 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>405 - HTTP verb used to access this page is not allowed.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>405 - HTTP verb used to access this page is not allowed.</h2> <h3>The page you are looking for ca
Jul 15, 2022 15:19:28.054836988 CEST	5	IN	HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD, OPTIONS, TRACE Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:28 GMT Content-Length: 1293 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>405 - HTTP verb used to access this page is not allowed.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>405 - HTTP verb used to access this page is not allowed.</h2> <h3>The page you are looking for ca
Jul 15, 2022 15:19:29.633644104 CEST	14	IN	HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD, OPTIONS, TRACE Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Fri, 15 Jul 2022 13:19:29 GMT Content-Length: 1293 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 35 20 2d 20 48 54 54 50 20 76 65 72 62 20 75 73 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 70 61 67 65 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>405 - HTTP verb used to access this page is not allowed.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>405 - HTTP verb used to access this page is not allowed.</h2> <h3>The page you are looking for ca

Target ID:	0
Start time:	15:18:17
Start date:	15/07/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f6e0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 20220714 DWG.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A06192A-30A6-47D1-ADF8-054AC9F6B663}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5D1B35F5-C171-4718-AE70-CD91AAB04010}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Glomet[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2264EBF3.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6387B6EF.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72919526.htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3BCD92F0-1C3B-4D0C-AD4B-E4107D6CB424}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D922950-B6AB-4AD8-83F9-D5771B48C810}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45930AE1-8162-4D9A-BE35-4DB39144DF11}.tmp

C:\Users\user\AppData\Local\Temp\{728775D7-78F7-46CF-AD44-B53E52FE2573}

C:\Users\user\AppData\Local\Temp\{925F4F9C-7A22-47FE-BE3A-D6DAAFE95668}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\20220714 DWG.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$220714 DWG.doc

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

System Behavior

Windows Analysis Report
20220714 DWG.doc