Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C1ZGt61uGv.docx

Overview

General Information

Sample Name:C1ZGt61uGv.docx
Analysis ID:686026
MD5:98998af843c2c938c079a102abe6c73d
SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
Infos:

Detection

Follina CVE-2022-30190
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

  • System is w10x64
  • WINWORD.EXE (PID: 5772 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5500 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x3d2:$a2: TargetMode="External"
  • 0x3ca:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3d2:$mode: TargetMode="External
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x1444:$a: PCWDiagnostic
    • 0x1438:$sa3: ms-msdt
    • 0x1498:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x1427:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x1444:$a: PCWDiagnostic
      • 0x1438:$sa3: ms-msdt
      • 0x1498:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x1427:$re1: location.href = "ms-msdt:
      Click to see the 1 entries
      No Sigma rule has matched
      Timestamp:35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708
      SID:2025010
      Source Port:443
      Destination Port:49176
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682
      SID:2025010
      Source Port:443
      Destination Port:49181
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C1ZGt61uGv.docxAvira: detected
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%Perma Link
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%Perma Link
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPED
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49716 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443

      Networking

      barindex
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49176
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:29:08 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757733; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:29:12 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757729; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:31:43 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757578; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:31:44 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757577; includeSubDomainsConnection: close
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.aadrm.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.office.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.onedrive.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.entity.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cortana.ai/api
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cr.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://directory.services.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.windows.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.windows.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://invites.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.local
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://management.azure.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://management.azure.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.engagement.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ncus.contentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officeapps.live.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://osi.office.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://roaming.edog.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://settings.outlook.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://staging.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://tasks.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://wus2.contentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownDNS traffic detected: queries for: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49716 version: TLS 1.2

      System Summary

      barindex
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
      Source: C1ZGt61uGv.LNK.0.drLNK file: ..\..\..\..\..\Desktop\C1ZGt61uGv.docx
      Source: C1ZGt61uGv.docxOLE indicator, Word Document stream: true
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{43DFBCA4-69C6-481F-828D-0F0BE60BBB1D} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
      Source: classification engineClassification label: mal96.expl.evad.winDOCX@3/12@2/1
      Source: C1ZGt61uGv.docxOLE document summary: title field not present or empty
      Source: C1ZGt61uGv.docxOLE document summary: edited time not present or 0
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: C1ZGt61uGv.docxInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution
      1
      DLL Side-Loading
      1
      Process Injection
      1
      Masquerading
      OS Credential Dumping1
      Query Registry
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      1
      Process Injection
      LSASS Memory2
      File and Directory Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
      Non-Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager12
      System Information Discovery
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration14
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Remote System Discovery
      Distributed Component Object ModelInput CaptureScheduled Transfer3
      Ingress Tool Transfer
      SIM Card SwapCarrier Billing Fraud
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      C1ZGt61uGv.docx46%VirustotalBrowse
      C1ZGt61uGv.docx26%MetadefenderBrowse
      C1ZGt61uGv.docx35%ReversingLabsDocument-Word.Trojan.Minerva
      C1ZGt61uGv.docx100%AviraW97M/Dldr.Agent.G1
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm100%AviraJS/CVE-2022-30190.G
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://roaming.edog.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://my.microsoftpersonalcontent.com0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://api.aadrm.com0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      dullghostwhitetwintext.karewen.repl.co
      34.149.204.188
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://dullghostwhitetwintext.karewen.repl.co/index.htmlfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
            high
            https://login.microsoftonline.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
              high
              https://shell.suite.office.com:14439AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                  high
                  https://autodiscover-s.outlook.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                    high
                    https://roaming.edog.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                      high
                      https://cdn.entity.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://api.addins.omex.office.net/appinfo/query9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                        high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                          high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            high
                            https://powerlift.acompli.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://lookup.onenote.com/lookup/geolocation/v19AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                              high
                              https://cortana.ai9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                              • URL Reputation: safe
                              unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                high
                                https://cloudfiles.onenote.com/upload.aspx9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                  high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                    high
                                    https://entitlement.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                      high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        high
                                        https://api.aadrm.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                          high
                                          https://api.microsoftstream.com/api/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                            high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                              high
                                              https://cr.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                • Avira URL Cloud: safe
                                                low
                                                https://portal.office.com/account/?ref=ClientMeControl9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                  high
                                                  https://graph.ppe.windows.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://powerlift-frontdesk.acompli.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://tasks.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                      high
                                                      https://officeci.azurewebsites.net/api/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        high
                                                        https://my.microsoftpersonalcontent.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://store.office.cn/addinstemplate9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.aadrm.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                          high
                                                          https://globaldisco.crm.dynamics.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                            high
                                                            https://messaging.engagement.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                              high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                high
                                                                https://dev0-api.acompli.net/autodetect9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://www.odwebp.svc.ms9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://api.diagnosticssdf.office.com/v2/feedback9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                  high
                                                                  https://api.powerbi.com/v1.0/myorg/groups9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                    high
                                                                    https://web.microsoftstream.com/video/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                      high
                                                                      https://api.addins.store.officeppe.com/addinstemplate9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://graph.windows.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        high
                                                                        https://dataservice.o365filtering.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://officesetup.getmicrosoftkey.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://analysis.windows.net/powerbi/api9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                          high
                                                                          https://prod-global-autodetect.acompli.net/autodetect9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                            high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                              high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                high
                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                  high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                    high
                                                                                    https://ncus.contentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                      high
                                                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                        high
                                                                                        http://weather.service.msn.com/data.aspx9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                          high
                                                                                          https://apis.live.net/v5.0/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                            high
                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                              high
                                                                                              https://messaging.lifecycle.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                high
                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                  high
                                                                                                  https://management.azure.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                    high
                                                                                                    https://outlook.office365.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                      high
                                                                                                      https://wus2.contentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://incidents.diagnostics.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                        high
                                                                                                        https://clients.config.office.net/user/v1.0/ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                          high
                                                                                                          https://insertmedia.bing.office.net/odc/insertmedia9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                            high
                                                                                                            https://o365auditrealtimeingestion.manage.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office365.com/api/v1.0/me/Activities9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                high
                                                                                                                https://api.office.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                  high
                                                                                                                  https://incidents.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                    high
                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                      high
                                                                                                                      https://entitlement.diagnostics.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                        high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                          high
                                                                                                                          https://substrate.office.com/search/api/v2/init9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                            high
                                                                                                                            https://outlook.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                              high
                                                                                                                              https://storage.live.com/clientlogs/uploadlocation9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                high
                                                                                                                                https://outlook.office365.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://webshell.suite.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://substrate.office.com/search/api/v1/SearchHistory9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://management.azure.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://messaging.lifecycle.office.com/getcustommessage169AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://clients.config.office.net/c2r/v1.0/InteractiveInstallation9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://graph.windows.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://api.powerbi.com/beta/myorg/imports9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://devnull.onenote.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://messaging.action.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://ncus.pagecontentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://messaging.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            34.149.204.188
                                                                                                                                                            dullghostwhitetwintext.karewen.repl.coUnited States
                                                                                                                                                            2686ATGS-MMD-ASUSfalse
                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                            Analysis ID:686026
                                                                                                                                                            Start date and time:2022-08-18 04:28:08 +02:00
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 7m 30s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:full
                                                                                                                                                            Sample file name:C1ZGt61uGv.docx
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:25
                                                                                                                                                            Number of new started drivers analysed:1
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal96.expl.evad.winDOCX@3/12@2/1
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .docx
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.76.141, 52.109.88.38, 52.109.76.36, 52.109.12.24, 52.109.76.33
                                                                                                                                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, store-images.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                            No simulations
                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            34.149.204.188C1ZGt61uGv.docxGet hashmaliciousBrowse
                                                                                                                                                              No context
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              ATGS-MMD-ASUSC1ZGt61uGv.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              NafGYpz1ZK.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.159.231.47
                                                                                                                                                              1kTl1FqLU2Get hashmaliciousBrowse
                                                                                                                                                              • 57.20.44.228
                                                                                                                                                              4xUFxuWYKtGet hashmaliciousBrowse
                                                                                                                                                              • 57.140.60.194
                                                                                                                                                              rf6NT3iJPfGet hashmaliciousBrowse
                                                                                                                                                              • 34.59.251.43
                                                                                                                                                              lfYru0uB7iGet hashmaliciousBrowse
                                                                                                                                                              • 34.50.8.227
                                                                                                                                                              micIUMDDI8Get hashmaliciousBrowse
                                                                                                                                                              • 57.177.223.84
                                                                                                                                                              zrD1CxdxuFGet hashmaliciousBrowse
                                                                                                                                                              • 34.18.53.4
                                                                                                                                                              ohHTpaqhhAGet hashmaliciousBrowse
                                                                                                                                                              • 56.185.187.100
                                                                                                                                                              lL6LrPDiwbGet hashmaliciousBrowse
                                                                                                                                                              • 56.228.85.78
                                                                                                                                                              a84pe0qmNpGet hashmaliciousBrowse
                                                                                                                                                              • 48.65.167.235
                                                                                                                                                              4irWstY0T7Get hashmaliciousBrowse
                                                                                                                                                              • 34.63.14.206
                                                                                                                                                              IDTkPkfSPqGet hashmaliciousBrowse
                                                                                                                                                              • 34.164.98.172
                                                                                                                                                              UxIukBScfXGet hashmaliciousBrowse
                                                                                                                                                              • 57.166.152.192
                                                                                                                                                              rfog2I9jrNGet hashmaliciousBrowse
                                                                                                                                                              • 57.179.27.5
                                                                                                                                                              YUXGuHu2g2Get hashmaliciousBrowse
                                                                                                                                                              • 57.203.19.154
                                                                                                                                                              NO8AMUK31lGet hashmaliciousBrowse
                                                                                                                                                              • 34.141.50.81
                                                                                                                                                              STkp8xlNSYGet hashmaliciousBrowse
                                                                                                                                                              • 51.94.198.239
                                                                                                                                                              Vv55F7oWaBGet hashmaliciousBrowse
                                                                                                                                                              • 32.13.99.2
                                                                                                                                                              B1q7pxY7YPGet hashmaliciousBrowse
                                                                                                                                                              • 48.42.78.199
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              ce5f3254611a8c095a3d821d44539877FzgkVbUkUm.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              YccRHfFd3T.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              dl18aYTBo5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              wWLwoD14Xo.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              ZZkLH4O0Y3.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              icRTA4gcSe.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              dfqqRjnCV5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              uaMVRwwuyZ.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              NeF7svYyqN.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              yYtTDWoZWx.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              6bdklAYa6u.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              o3MCBdIl7r.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              a2Mx3iJgEo.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              aeXxqezX4E.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              WUumgFooNU.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              SecuriteInfo.com.W32.SmokeLoader.C.genEldorado.4925.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              XBtHx41Ruc.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              d67taAtF6k.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              Fafp1MozEr.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              QnD9G3EDPF.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19FzgkVbUkUm.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              YccRHfFd3T.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              dl18aYTBo5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              wWLwoD14Xo.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              ZZkLH4O0Y3.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              dfqqRjnCV5.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              uaMVRwwuyZ.docxGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              Voicemail Audio Transcription.htmGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              https://qsinet-my.sharepoint.com/:f:/g/personal/psg-president_bratislava_qsi_org/EnFNEJXRAKFCtd-FKWV3uzQBTjm7ODr0PXuior0gvBUXAA?e=1zr4UlGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              attached invoice.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              #U260e voice042456432-121_076_454656_3-2(4).htmlGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              3GgEhpsURO.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              Facturas Pagadas al VencimientoPDF.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              https://www.dropbox.com/scl/fi/vx411mbr29t5hn9h338q8/You-have-been-invited-to-view-the-folder-PO986078_30840_89.paper?dl=0&rlkey=7y27s248ly2fxgpkbzj9vrzhmGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              Validation-abuse@ridgelineintl.com.htmlGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              SecuriteInfo.com.Win32.Injector.ERYZ.5525.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              SecuriteInfo.com.Win32.Injector.ERYZ.10791.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              (QUOTATION21153590.vbsGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              SecuriteInfo.com.W32.AIDetectNet.01.17208.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              SecuriteInfo.com.FileRepMalwareInj.5548.exeGet hashmaliciousBrowse
                                                                                                                                                              • 34.149.204.188
                                                                                                                                                              No context
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:Microsoft Access Database
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):528384
                                                                                                                                                              Entropy (8bit):0.47577658796690125
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:z0HGfXArJCKE8SFNfZ0jGBChxQWfwtZ1II+hVZO4Fg:z3fXACdHZZM3Df/zI
                                                                                                                                                              MD5:F1D2BA9091205066A55618062B66050A
                                                                                                                                                              SHA1:41BECA7F78E2F2AEE28F1EF883608BBB0672D36E
                                                                                                                                                              SHA-256:9EB44F67B6945C225F04371D022EA02E1C6761CD5F11630EB3CC5C5F083A62E2
                                                                                                                                                              SHA-512:6A71B7FE43E54FEA2A93710BD3FB540109A0FD0F1C36310F8D6BA107E29D9F5EE3AB996210C4B3B13F978D523A2633B78533C61DF16E6A6DD8CDF215CD0C9E93
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...NqU.7...1.(....`.:{6....Z.C8..3..y[e.|*..|......Q.n...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):36
                                                                                                                                                              Entropy (8bit):2.730660070105504
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                              MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                              SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                              SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                              SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):64
                                                                                                                                                              Entropy (8bit):1.4172860556164644
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:mpl/vaV:mLu
                                                                                                                                                              MD5:13B298EF83EFE8258432E1FFC9D94466
                                                                                                                                                              SHA1:A093E48FD3BACC5E346ADFFC3B803ADB0CEF64C0
                                                                                                                                                              SHA-256:B93F8A727C7BFD26FB41AE610DA83BA8B71C73E8058EF09F2F1B2F702BD71CED
                                                                                                                                                              SHA-512:98C7D1A261AD0AC2F1AA6B03A36B7E37E6B2475A35EE42113F6ED4F52EE9BE6888D5DB29D7B69275A70A86C69C870901517B900A716E9BD38AE71ABDBE38A2BA
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:927537. Admin.
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):148061
                                                                                                                                                              Entropy (8bit):5.358146407288765
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:IcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:r1Q9DQe+zuXYr
                                                                                                                                                              MD5:5C5C8FA149FACF1CBE4B3EBD3382A785
                                                                                                                                                              SHA1:9BBD5D561FE0539C16C2E7EF0D5E6AAE1280DC4C
                                                                                                                                                              SHA-256:F81CA7FA8430DBD1BFF3CBEDC0A28695D47CC80EEE4ACFBFFE96A3A08D24BBC4
                                                                                                                                                              SHA-512:EDD3C0D7F0AE09DCC4DEF8B056346C1358F9FA53F81A6B52116E2D52AEC3434491AC6BBC3CF2037E9D2411D0DDA3C33730AEA5C44B4A51451550B668A062E149
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-18T02:29:04">.. Build: 16.0.15614.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5901
                                                                                                                                                              Entropy (8bit):4.701941274629396
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
                                                                                                                                                              MD5:2C855A56E062B197D4CC9D021DF71219
                                                                                                                                                              SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
                                                                                                                                                              SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
                                                                                                                                                              SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Joe Security
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):10172
                                                                                                                                                              Entropy (8bit):3.928478624213631
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:q373cifeyUaIWmBJOhTDOj1WN7M60iIiB7rSwVauLM/Myof9NLRgMy7k3e2kW86J:873xeXaIBckry+Ks8D+plS
                                                                                                                                                              MD5:C349F98D0BBE0D72F9A6E34335918207
                                                                                                                                                              SHA1:B2184C336F95E1ED5F338D1B27D06A4F8E1C535F
                                                                                                                                                              SHA-256:8ACC7CBE7BEB283D3908F418FB5390623F1EB46018F426D4911F5515E786CAA5
                                                                                                                                                              SHA-512:A6DE09C1E4B3947EF4B8BF46B14A3E77AFFB6004EDED3560814720B8304542F1722EFEF83502E0532C76B438015B84200302BE5CE5F8C1228A881F050BE8AE5B
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:....l...............I...........'...9... EMF.....'..........................8...5.......................................................R...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r....$..`.........../...`.......0...0..................?...........?................l...4........$..0...0...(...0...0..... ......$......................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):5901
                                                                                                                                                              Entropy (8bit):4.701941274629396
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
                                                                                                                                                              MD5:2C855A56E062B197D4CC9D021DF71219
                                                                                                                                                              SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
                                                                                                                                                              SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
                                                                                                                                                              SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                              • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Joe Security
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              IE Cache URL:https://dullghostwhitetwintext.karewen.repl.co/index.html
                                                                                                                                                              Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:31 2022, mtime=Thu Aug 18 01:31:47 2022, atime=Thu Aug 18 01:29:02 2022, length=26614, window=hide
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1060
                                                                                                                                                              Entropy (8bit):4.697968162284448
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12:8D3ZjUhcduCH2zE4ECH0+WpmtGxbKzjEjAJ/Dt3t/DmGK/NDu9u9L44t2Y+xIBj1:8D3sUKxxaoUAJbt3J8DMMk7aB6m
                                                                                                                                                              MD5:59E0ACC4554DE387C6E188AC9F18E591
                                                                                                                                                              SHA1:29DAEE6057B458A415690799D1B379B8AB66590D
                                                                                                                                                              SHA-256:F412CE351B2C63DA034DCCD6B74F314B5B4BC72154AF85FDFD17247A2BED36D1
                                                                                                                                                              SHA-512:08E150A76E5A0E4FA89B147ED68DDB3E839844991B32E781FE20465A990CFC7DD8E8EC4E26A429EDD09BC726CE6F9979DCD76265A26855CC335D434EE8E81347
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:L..................F.... ....C..u.../........G.....g...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U1m..user.<.......N...U......#J......................,.j.o.n.e.s.....~.1......U2m..Desktop.h.......N...U.......Y..............>.......8.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2..g...U.. .C1ZGT6~1.DOC..P.......U0m.U......P......................_..C.1.Z.G.t.6.1.u.G.v...d.o.c.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\C1ZGt61uGv.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.1.Z.G.t.6.1.u.G.v...d.o.c.x.........:..,.LB.)...As...`.......X.......927537...........!a..%.H.VZAj...................!a..%.H.VZAj..............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):72
                                                                                                                                                              Entropy (8bit):4.780851828270855
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:bDuMJl+Uqe3TAlmxWtmx3TAlv:bCne3CE3W
                                                                                                                                                              MD5:69F6516C10F77E405479AA56E74F44A0
                                                                                                                                                              SHA1:36194337D22DE7E093B6659C3E3A1C98A2F243CE
                                                                                                                                                              SHA-256:EFAE2CC5C7CBDFF13D4AC0A4FB3F0C0000C52A4E1C9AD499C834F0135A8ECCFB
                                                                                                                                                              SHA-512:3443F8CF1E2804F86512DDDCEC8DF5F0F3683FA2D1E57FC4592E8A13FC7CCC9E402230D71F956DDB8D3873B6825979EB706599CB0F7B2FF32D1A993F31D9451B
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:[folders]..Templates.LNK=0..C1ZGt61uGv.LNK=0..[misc]..C1ZGt61uGv.LNK=0..
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):2.664661183360374
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/Zdal6/XxUcrz1l5z14jZRest:RtZMl6/m41l5zmF4st
                                                                                                                                                              MD5:1D0F7C6E4240901C9BABDE8067DDC94A
                                                                                                                                                              SHA1:74559DEAC17CBF1DED4DD89B48E64331A2F701B4
                                                                                                                                                              SHA-256:FF53715400739909187E1CDB686AFD0092F12B48E2A7DD2974CE5011411A483E
                                                                                                                                                              SHA-512:B2922955A42F3C6298AC1C845361363D6758EAD7430FDDC6FFF936D508435340063D23981EE9A8F44A8740364412D7C337B3042C55C9135782539E4AC0758CD1
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h...........xF.........&....................dF..............................`F.........&......
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):20
                                                                                                                                                              Entropy (8bit):2.8954618442383215
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                              MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                              SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                              SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                              SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:..p.r.a.t.e.s.h.....
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):162
                                                                                                                                                              Entropy (8bit):2.664661183360374
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Rl/Zdal6/XxUcrz1l5z14jZRest:RtZMl6/m41l5zmF4st
                                                                                                                                                              MD5:1D0F7C6E4240901C9BABDE8067DDC94A
                                                                                                                                                              SHA1:74559DEAC17CBF1DED4DD89B48E64331A2F701B4
                                                                                                                                                              SHA-256:FF53715400739909187E1CDB686AFD0092F12B48E2A7DD2974CE5011411A483E
                                                                                                                                                              SHA-512:B2922955A42F3C6298AC1C845361363D6758EAD7430FDDC6FFF936D508435340063D23981EE9A8F44A8740364412D7C337B3042C55C9135782539E4AC0758CD1
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h...........xF.........&....................dF..............................`F.........&......
                                                                                                                                                              File type:Microsoft Word 2007+
                                                                                                                                                              Entropy (8bit):7.316883678675453
                                                                                                                                                              TrID:
                                                                                                                                                              • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                              • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                              • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                              File name:C1ZGt61uGv.docx
                                                                                                                                                              File size:26614
                                                                                                                                                              MD5:98998af843c2c938c079a102abe6c73d
                                                                                                                                                              SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
                                                                                                                                                              SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
                                                                                                                                                              SHA512:4b3fee7cddc41a3f742d2ca3bcc6db766e43d183b926153927ec5591d73cce2d0cf5b4ade9d0f010bf6b104f463d44e383e423984d0bf5684e58971dd0665ee7
                                                                                                                                                              SSDEEP:384:aW5NndAzG46H8kwV1xEw2imBTQUhGnhHpAKIQqRrINxt/ZtNNiW2+30Ony/6MY:awlO1Ew2HGHiKpqRrSxllN2+3By/e
                                                                                                                                                              TLSH:DCC2C057D12B5C75CC6A4EBCD82C8ABCEA9430D0F9151187244DE6C9B24BD73133EA1A
                                                                                                                                                              File Content Preview:PK..........!..l.$u...........[Content_Types].xml ...(.........................................................................................................................................................................................................
                                                                                                                                                              Icon Hash:74fcd0d2d6d6d0cc
                                                                                                                                                              Document Type:OpenXML
                                                                                                                                                              Number of OLE Files:1
                                                                                                                                                              Has Summary Info:
                                                                                                                                                              Application Name:
                                                                                                                                                              Encrypted Document:False
                                                                                                                                                              Contains Word Document Stream:True
                                                                                                                                                              Contains Workbook/Book Stream:False
                                                                                                                                                              Contains PowerPoint Document Stream:False
                                                                                                                                                              Contains Visio Document Stream:False
                                                                                                                                                              Contains ObjectPool Stream:False
                                                                                                                                                              Flash Objects Count:0
                                                                                                                                                              Contains VBA Macros:False
                                                                                                                                                              Title:
                                                                                                                                                              Subject:
                                                                                                                                                              Author:Karewen .
                                                                                                                                                              Keywords:
                                                                                                                                                              Template:Normal.dotm
                                                                                                                                                              Last Saved By:Karewen .
                                                                                                                                                              Revion Number:2
                                                                                                                                                              Total Edit Time:0
                                                                                                                                                              Create Time:2022-06-03T10:03:00Z
                                                                                                                                                              Last Saved Time:2022-06-03T10:03:00Z
                                                                                                                                                              Number of Pages:1
                                                                                                                                                              Number of Words:3
                                                                                                                                                              Number of Characters:18
                                                                                                                                                              Creating Application:Microsoft Office Word
                                                                                                                                                              Security:0
                                                                                                                                                              Number of Lines:1
                                                                                                                                                              Number of Paragraphs:1
                                                                                                                                                              Thumbnail Scaling Desired:false
                                                                                                                                                              Company:
                                                                                                                                                              Contains Dirty Links:false
                                                                                                                                                              Shared Document:false
                                                                                                                                                              Changed Hyperlinks:false
                                                                                                                                                              Application Version:16.0000
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x1CompObj
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:76
                                                                                                                                                              Entropy:3.093449526469053
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . 9 q . . . . . . . . . . . .
                                                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x1Ole10Native
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:2240124
                                                                                                                                                              Entropy:0.005070123031127669
                                                                                                                                                              Base64 Encoded:True
                                                                                                                                                              Data ASCII:x . " . . . N e w B i t m a p i m a g e . b m p . D : \\ S a y a a r \\ P e r s o n a l \\ C o d i n g \\ M S D T Z e r o - D a y \\ M S F o l l i n a \\ N e w B i t m a p i m a g e . b m p . . . . . ^ . . . C : \\ U s e r s \\ k a r e w \\ A p p D a t a \\ L o c a l \\ T e m p \\ { 4 9 2 A 0 5 A 6 - 0 F C E - 4 3 E 2 - A F E 7 - D D 9 A E A 8 4 F C 1 B } \\ N e w B i t m a p i m a g e . b m p . 6 , " . B M 6 , " . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . , " . . . . . . . . . . . . . . . . .
                                                                                                                                                              Data Raw:78 2e 22 00 02 00 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 44 3a 5c 53 61 79 61 61 72 5c 50 65 72 73 6f 6e 61 6c 5c 43 6f 64 69 6e 67 5c 4d 53 44 54 20 5a 65 72 6f 2d 44 61 79 5c 4d 53 46 6f 6c 6c 69 6e 61 5c 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 00 00 03 00 5e 00 00 00 43 3a 5c 55 73 65 72 73 5c 6b 61 72 65 77 5c 41 70 70 44 61 74 61
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x3EPRINT
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Stream Size:10172
                                                                                                                                                              Entropy:3.928478624213631
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . l . . . . . . . . . . . . . . I . . . . . . . . . . . ' . . . 9 . . . E M F . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . R . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . e . g . o . e . . U . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                              Data Raw:01 00 00 00 6c 00 00 00 18 00 00 00 00 00 00 00 d7 00 00 00 49 00 00 00 00 00 00 00 00 00 00 00 27 0f 00 00 39 05 00 00 20 45 4d 46 00 00 01 00 bc 27 00 00 0d 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 35 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 b7 04 00 b0 a7 02 00 0a 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x3ObjInfo
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:6
                                                                                                                                                              Entropy:1.2516291673878228
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . . .
                                                                                                                                                              Data Raw:00 00 03 00 0d 00
                                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                              35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708TCP2025010ET TROJAN Powershell commands sent B64 14434917635.186.245.55192.168.2.22
                                                                                                                                                              35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682TCP2025010ET TROJAN Powershell commands sent B64 14434918135.186.245.55192.168.2.22
                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Aug 18, 2022 04:29:08.099875927 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.099941015 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.100186110 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.109353065 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.109415054 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.270021915 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.270116091 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.274015903 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.274029970 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.274280071 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.277177095 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.323370934 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.548890114 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.549051046 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.549146891 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.576126099 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.576155901 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.719228029 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.719273090 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.719378948 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.720356941 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.720372915 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.875041962 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.878197908 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.878227949 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:08.880148888 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:08.880165100 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:09.117562056 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:09.117639065 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:09.117698908 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:09.117733002 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:09.117752075 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:09.117762089 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:09.117769003 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.157325983 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.157398939 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.157541990 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.157762051 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.157784939 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.319632053 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.320421934 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.320453882 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.322175026 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.322185993 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.601583958 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.601955891 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.825898886 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.825948000 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.826054096 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.826745033 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:12.826772928 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:13.097120047 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:13.097235918 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:13.109215021 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:13.109241009 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:13.109560966 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:13.109628916 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:13.110523939 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:29:13.151379108 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.476154089 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.476254940 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.476346016 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.476383924 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.476397038 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.476448059 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.477057934 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.477197886 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.478065014 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.478091955 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.546355963 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.546401978 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.546539068 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.546850920 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.546869040 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.705864906 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.706513882 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.706535101 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.708982944 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:43.708997011 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.982458115 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:43.982800961 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.019804001 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.019845963 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.020030975 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.020313025 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.020324945 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.177850962 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.178363085 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.178391933 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.179773092 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.179780006 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.603888035 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.604222059 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.604403973 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.604461908 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.604480028 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.604510069 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.604518890 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.624933004 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.624974966 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.625086069 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.625417948 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.625432968 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.782062054 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.782957077 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.782994032 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:44.786123991 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:44.786138058 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.049310923 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.049454927 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.049982071 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.052130938 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.063913107 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.063967943 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.064253092 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.064444065 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.064471006 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.225277901 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.225389957 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.225775957 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.225802898 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.230868101 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.230892897 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.525676012 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.525755882 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.525859118 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.525872946 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.525914907 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.526014090 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.527672052 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.527770042 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.529500008 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.529589891 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.529901981 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.529987097 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.529992104 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.530057907 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.531115055 CEST49768443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.531131983 CEST4434976834.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.719885111 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.719930887 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.720038891 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.720315933 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.720325947 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.877696991 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.877816916 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.878340960 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.878356934 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:45.884457111 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:45.884486914 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.119469881 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.119582891 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.119698048 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.119735956 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.119812965 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.119847059 CEST4434976934.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.119887114 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.119976044 CEST49769443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.395852089 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.395916939 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.396094084 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.396408081 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.396433115 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.553245068 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.553428888 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.554136038 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.554150105 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.560345888 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.560384035 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.827812910 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.827900887 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.827975988 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.828223944 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.828286886 CEST4434977034.149.204.188192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:31:46.828485012 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              Aug 18, 2022 04:31:46.828500986 CEST49770443192.168.2.434.149.204.188
                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Aug 18, 2022 04:29:08.064887047 CEST6100753192.168.2.48.8.8.8
                                                                                                                                                              Aug 18, 2022 04:29:08.082041979 CEST53610078.8.8.8192.168.2.4
                                                                                                                                                              Aug 18, 2022 04:29:12.806756973 CEST6112453192.168.2.48.8.8.8
                                                                                                                                                              Aug 18, 2022 04:29:12.824287891 CEST53611248.8.8.8192.168.2.4
                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                              Aug 18, 2022 04:29:08.064887047 CEST192.168.2.48.8.8.80x6330Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
                                                                                                                                                              Aug 18, 2022 04:29:12.806756973 CEST192.168.2.48.8.8.80x188bStandard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                              Aug 18, 2022 04:29:08.082041979 CEST8.8.8.8192.168.2.40x6330No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
                                                                                                                                                              Aug 18, 2022 04:29:12.824287891 CEST8.8.8.8192.168.2.40x188bNo error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
                                                                                                                                                              • dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              0192.168.2.44971334.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:29:08 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:29:08 UTC0INHTTP/1.1 404 Not Found
                                                                                                                                                              Content-Length: 207
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:29:08 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757733; includeSubDomains
                                                                                                                                                              Connection: close
                                                                                                                                                              2022-08-18 02:29:08 UTC0INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              1192.168.2.44971434.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:29:08 UTC0OUTHEAD /index.html HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:29:09 UTC1INHTTP/1.1 200 OK
                                                                                                                                                              Content-Length: 5901
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:29:09 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757733; includeSubDomains
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              2192.168.2.44971534.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:29:12 UTC1OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:29:12 UTC1INHTTP/1.1 404 Not Found
                                                                                                                                                              Content-Length: 207
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:29:12 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757729; includeSubDomains
                                                                                                                                                              Connection: close
                                                                                                                                                              2022-08-18 02:29:12 UTC2INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              3192.168.2.44971634.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:29:13 UTC2OUTGET /index.html HTTP/1.1
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-08-18 02:31:43 UTC2INHTTP/1.1 502 Bad Gateway
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Strict-Transport-Security: max-age=7757728; includeSubDomains
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:43 GMT
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Connection: close
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              2022-08-18 02:31:43 UTC3INData Raw: 38 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 55 6e 61 62 6c 65 20 54 6f 20 57 61 6b 65 20 55 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 0a 20 20 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 49 42 4d 2b 50 6c 65 78 2b 53 61 6e 73 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a 20 20 20 20 20
                                                                                                                                                              Data Ascii: 800<!DOCTYPE html><html lang="en"> <head> <title>Unable To Wake Up</title> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans"> <style> body { margin: 0; height: 100vh;
                                                                                                                                                              2022-08-18 02:31:43 UTC3INData Raw: 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6d 65 73 73 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 65 76 61 6c 2d 62 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 34 65 6d 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 73 6f 6c 65 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 65 31 36 32 38 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c
                                                                                                                                                              Data Ascii: } @media (max-width: 500px) { .message { flex-direction: column; align-items: center; } } .eval-bot { margin: 4em; } .console { background-color: #0e1628; col
                                                                                                                                                              2022-08-18 02:31:43 UTC6INData Raw: 35 2e 33 33 34 20 31 31 35 2e 34 30 39 20 32 34 31 2e 32 31 31 20 31 31 37 2e 38 34 39 4c 32 34 31 2e 31 39 31 20 31 31 38 2e 30 33 39 43 32 32 36 2e 34 33 36 20 31 31 36 2e 35 34 31 20 32 31 34 2e 38 37 34 20 39 34 2e 35 39 30 31 20 32 31 35 2e 30 37 38 20 36 37 2e 38 34 37 31 43 32 31 35 2e 32 38 31 20 34 31 2e 30 39 36 39 20 32 32 37 2e 31 38 33 20 31 39 2e 33 35 30 35 20 32 34 31 2e 39 35 38 20 31 38 2e 31 32 33 32 4c 32 34 31 2e 39 37 32 20 31 38 2e 33 31 33 32 56 31 38 2e 33 31 33 32 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 37 37 45 41 39 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                                                                                                                              Data Ascii: 5.334 115.409 241.211 117.849L241.191 118.039C226.436 116.541 214.874 94.5901 215.078 67.8471C215.281 41.0969 227.183 19.3505 241.958 18.1232L241.972 18.3132V18.3132Z" fill="#77EA94" /> <path d="
                                                                                                                                                              2022-08-18 02:31:43 UTC6INData Raw: 20 31 32 2e 32 35 30 32 43 32 32 33 2e 32 38 34 20 31 36 2e 35 30 31 36 20 32 31 31 2e 36 34 37 20 33 39 2e 37 31 36 33 20 32 31 31 2e 34 33 20 36 37 2e 38 31 37 39 43 32 31 31 2e 34 33 20 36 38 2e 35 34 38 34 20 32 31 31 2e 34 33 20 36 39 2e 32 37 31 36 20 32 31 31 2e 34 33 37 20 37 30 2e 30 30 32 48 32 31 31 2e 33 30 37 4c 31 39 33 2e 37 32 37 20 37 30 2e 33 34 35 34 48 31 39 33 2e 36 35 39 43 31 39 33 2e 36 38 36 20 36 39 2e 34 35 34 32 20 31 39 33 2e 37 30 36 20 36 38 2e 35 35 35 37 20 31 39 33 2e 37 31 33 20 36 37 2e 36 35 37 32 43 31 39 33 2e 38 32 39 20 35 32 2e 31 33 34 35 20 31 39 30 2e 34 33 39 20 33 38 2e 30 34 33 35 20 31 38 34 2e 38 35 35 20 32 37 2e 37 38 30 32 4c 31 38 35 2e 30 37 32 20 32 37 2e 36 34 31 34 4c 31 39 33 2e 35 38 34 20 32 36
                                                                                                                                                              Data Ascii: 12.2502C223.284 16.5016 211.647 39.7163 211.43 67.8179C211.43 68.5484 211.43 69.2716 211.437 70.002H211.307L193.727 70.3454H193.659C193.686 69.4542 193.706 68.5557 193.713 67.6572C193.829 52.1345 190.439 38.0435 184.855 27.7802L185.072 27.6414L193.584 26


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              4192.168.2.44976534.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:43 UTC11OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:31:43 UTC11INHTTP/1.1 404 Not Found
                                                                                                                                                              Content-Length: 207
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:43 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757578; includeSubDomains
                                                                                                                                                              Connection: close
                                                                                                                                                              2022-08-18 02:31:43 UTC11INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              5192.168.2.44976634.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:44 UTC12OUTHEAD /index.html HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:31:44 UTC12INHTTP/1.1 200 OK
                                                                                                                                                              Content-Length: 5901
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:44 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757577; includeSubDomains
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              6192.168.2.44976734.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:44 UTC12OUTOPTIONS / HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              User-Agent: Microsoft Office Word 2014
                                                                                                                                                              X-Office-Major-Version: 16
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-FeatureVersion: 1
                                                                                                                                                              X-MSGETWEBURL: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              2022-08-18 02:31:45 UTC13INHTTP/1.1 404 Not Found
                                                                                                                                                              Content-Length: 207
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:44 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757577; includeSubDomains
                                                                                                                                                              Connection: close
                                                                                                                                                              2022-08-18 02:31:45 UTC13INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              7192.168.2.44976834.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:45 UTC13OUTGET /index.html HTTP/1.1
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-08-18 02:31:45 UTC13INHTTP/1.1 200 OK
                                                                                                                                                              Content-Length: 5901
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:45 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757576; includeSubDomains
                                                                                                                                                              Connection: close
                                                                                                                                                              2022-08-18 02:31:45 UTC14INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0a 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 3e 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61
                                                                                                                                                              Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna
                                                                                                                                                              2022-08-18 02:31:45 UTC15INData Raw: 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0a 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69
                                                                                                                                                              Data Ascii: , semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In qui
                                                                                                                                                              2022-08-18 02:31:45 UTC17INData Raw: 73 2c 20 74 75 72 70 69 73 20 64 6f 6c 6f 72 20 65 6c 65 69 66 65 6e 64 20 6d 61 73 73 61 2c 20 69 6e 20 6d 61 78 69 6d 75 73 20 73 61 70 69 65 6e 20 64 75 69 20 65 74 20 74 6f 72 74 6f 72 2e 20 51 75 69 73 71 75 65 20 76 61 72 69 75 73 20 65 6e 69 6d 20 73 65 64 20 65 6e 69 6d 20 76 65 6e 65 6e 61 74 69 73 20 74 65 6d 70 6f 72 2e 20 50 72 61 65 73 65 6e 74 20 71 75 69 73 20 76 6f 6c 75 74 70 61 74 20 6c 6f 72 65 6d 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 61 63 20 76 65 6e 65 6e 61 74 69 73 20 6c 61 63 75 73 2c 20 76 69 74 61 65 20 63 6f 6d 6d 6f 64 6f 20 6f 64 69 6f 2e 20 53 65 64 20 69 6e 20 6d 65 74 75 73 20 61 74 20 6c 69 62 65 72 6f 20 76 69 76 65 72 72 61 20 6d 6f 6c 6c 69 73 20 73 65 64 20 76 69 74 61 65 20 6e 69 62 68 2e 20 53 65 64 20 61 74
                                                                                                                                                              Data Ascii: s, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at
                                                                                                                                                              2022-08-18 02:31:45 UTC17INData Raw: 20 71 75 69 73 20 65 6c 65 69 66 65 6e 64 20 6e 65 63 2c 20 73 75 73 63 69 70 69 74 20 73 69 74 20 61 6d 65 74 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 69 6e 20 6c 65 63 74 75 73 20 65 72 61 74 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 56 69 76 61 6d 75 73 20 73 65 64 20 6d 61 73 73 61 20 71 75 69 73 20 61 72 63 75 20 65 67 65 73 74 61 73 20 76 65 68 69 63 75 6c 61 2e 20 4e 75 6c 6c 61 20 6d 61 73 73 61 20 6c 6f 72 65 6d 2c 20 74 69 6e 63 69 64 75 6e 74 20 73 65 64 20 66 65 75 67 69 61 74 20 71 75 69 73 2c 20 66 61 75 63 69 62 75 73 20 61 20 72 69 73 75 73 2e 20 53 65 64 20 76 69 76 65 72 72 61 20 74 75 72 70 69 73 20 73 69 74 20 61 6d 65 74 20 6d 65 74 75 73 20 69 61 63 75 6c 69 73 20 66 69 6e 69 62 75 73 2e 0a 0a 4d 6f 72 62 69 20 63
                                                                                                                                                              Data Ascii: quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.Morbi c


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              8192.168.2.44976934.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:45 UTC20OUTHEAD /index.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-08-18 02:31:46 UTC20INHTTP/1.1 200 OK
                                                                                                                                                              Content-Length: 5901
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:46 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757576; includeSubDomains
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              9192.168.2.44977034.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              2022-08-18 02:31:46 UTC20OUTHEAD /index.html HTTP/1.1
                                                                                                                                                              Authorization: Bearer
                                                                                                                                                              X-MS-CookieUri-Requested: t
                                                                                                                                                              X-IDCRL_ACCEPTED: t
                                                                                                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                              Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2022-08-18 02:31:46 UTC20INHTTP/1.1 200 OK
                                                                                                                                                              Content-Length: 5901
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Date: Thu, 18 Aug 2022 02:31:46 GMT
                                                                                                                                                              Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                              Replit-Cluster: global
                                                                                                                                                              Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                              Strict-Transport-Security: max-age=7757575; includeSubDomains
                                                                                                                                                              Connection: close


                                                                                                                                                              Click to jump to process

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:04:29:02
                                                                                                                                                              Start date:18/08/2022
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                              Imagebase:0xd60000
                                                                                                                                                              File size:1937688 bytes
                                                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:04:29:08
                                                                                                                                                              Start date:18/08/2022
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                              Imagebase:0x940000
                                                                                                                                                              File size:466688 bytes
                                                                                                                                                              MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate

                                                                                                                                                              No disassembly