Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C1ZGt61uGv.docx

Overview

General Information

Sample Name:C1ZGt61uGv.docx
Analysis ID:686026
MD5:98998af843c2c938c079a102abe6c73d
SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
Infos:

Detection

Follina CVE-2022-30190
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

  • System is w10x64
  • WINWORD.EXE (PID: 5772 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • MSOSYNC.EXE (PID: 5500 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x3d2:$a2: TargetMode="External"
  • 0x3ca:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3d2:$mode: TargetMode="External
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x1444:$a: PCWDiagnostic
    • 0x1438:$sa3: ms-msdt
    • 0x1498:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x1427:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x1444:$a: PCWDiagnostic
      • 0x1438:$sa3: ms-msdt
      • 0x1498:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x1427:$re1: location.href = "ms-msdt:
      Click to see the 1 entries
      No Sigma rule has matched
      Timestamp:35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708
      SID:2025010
      Source Port:443
      Destination Port:49176
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682
      SID:2025010
      Source Port:443
      Destination Port:49181
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C1ZGt61uGv.docxAvira: detected
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%Perma Link
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%Perma Link
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPED
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49716 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49713
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49714
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49715
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49716
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49765
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49766
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49767
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49768
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49769
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 34.149.204.188:443 -> 192.168.2.4:49770
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficDNS query: name: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49713 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49714 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49715 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49716 -> 34.149.204.188:443
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 34.149.204.188:443

      Networking

      barindex
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49176
      Source: TrafficSnort IDS: 2025010 ET TROJAN Powershell commands sent B64 1 35.186.245.55:443 -> 192.168.2.22:49181
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:29:08 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757733; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:29:12 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757729; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:31:43 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757578; includeSubDomainsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 18 Aug 2022 02:31:44 GMTExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"Replit-Cluster: globalServer: Werkzeug/2.1.2 Python/3.8.12Strict-Transport-Security: max-age=7757577; includeSubDomainsConnection: close
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.aadrm.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.office.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.onedrive.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.entity.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cortana.ai/api
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://cr.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://directory.services.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.windows.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://graph.windows.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://invites.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.local
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://management.azure.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://management.azure.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.engagement.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://messaging.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ncus.contentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officeapps.live.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://osi.office.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://roaming.edog.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://settings.outlook.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://staging.cortana.ai
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://tasks.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://wus2.contentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 9AD07AEC-2B98-4723-BED2-037E998950B4.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownDNS traffic detected: queries for: dullghostwhitetwintext.karewen.repl.co
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: dullghostwhitetwintext.karewen.repl.coConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.149.204.188:443 -> 192.168.2.4:49716 version: TLS 1.2

      System Summary

      barindex
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dll
      Source: C1ZGt61uGv.docxVirustotal: Detection: 45%
      Source: C1ZGt61uGv.docxMetadefender: Detection: 25%
      Source: C1ZGt61uGv.docxReversingLabs: Detection: 35%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
      Source: C1ZGt61uGv.LNK.0.drLNK file: ..\..\..\..\..\Desktop\C1ZGt61uGv.docx
      Source: C1ZGt61uGv.docxOLE indicator, Word Document stream: true
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{43DFBCA4-69C6-481F-828D-0F0BE60BBB1D} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
      Source: classification engineClassification label: mal96.expl.evad.winDOCX@3/12@2/1
      Source: C1ZGt61uGv.docxOLE document summary: title field not present or empty
      Source: C1ZGt61uGv.docxOLE document summary: edited time not present or 0
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
      Source: C1ZGt61uGv.docxInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Source: document.xml.relsExtracted files from sample: https://dullghostwhitetwintext.karewen.repl.co/index.html!
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXERegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
      Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution
      1
      DLL Side-Loading
      1
      Process Injection
      1
      Masquerading
      OS Credential Dumping1
      Query Registry
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      1
      Process Injection
      LSASS Memory2
      File and Directory Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
      Non-Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager12
      System Information Discovery
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration14
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Remote System Discovery
      Distributed Component Object ModelInput CaptureScheduled Transfer3
      Ingress Tool Transfer
      SIM Card SwapCarrier Billing Fraud
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      C1ZGt61uGv.docx46%VirustotalBrowse
      C1ZGt61uGv.docx26%MetadefenderBrowse
      C1ZGt61uGv.docx35%ReversingLabsDocument-Word.Trojan.Minerva
      C1ZGt61uGv.docx100%AviraW97M/Dldr.Agent.G1
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm100%AviraJS/CVE-2022-30190.G
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://roaming.edog.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://my.microsoftpersonalcontent.com0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://api.aadrm.com0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      dullghostwhitetwintext.karewen.repl.co
      34.149.204.188
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://dullghostwhitetwintext.karewen.repl.co/index.htmlfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
            high
            https://login.microsoftonline.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
              high
              https://shell.suite.office.com:14439AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                  high
                  https://autodiscover-s.outlook.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                    high
                    https://roaming.edog.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                      high
                      https://cdn.entity.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://api.addins.omex.office.net/appinfo/query9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                        high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                          high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            high
                            https://powerlift.acompli.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://lookup.onenote.com/lookup/geolocation/v19AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                              high
                              https://cortana.ai9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                              • URL Reputation: safe
                              unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                high
                                https://cloudfiles.onenote.com/upload.aspx9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                  high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                    high
                                    https://entitlement.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                      high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        high
                                        https://api.aadrm.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                          high
                                          https://api.microsoftstream.com/api/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                            high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                              high
                                              https://cr.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                • Avira URL Cloud: safe
                                                low
                                                https://portal.office.com/account/?ref=ClientMeControl9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                  high
                                                  https://graph.ppe.windows.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://powerlift-frontdesk.acompli.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://tasks.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                      high
                                                      https://officeci.azurewebsites.net/api/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        high
                                                        https://my.microsoftpersonalcontent.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://store.office.cn/addinstemplate9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.aadrm.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                          high
                                                          https://globaldisco.crm.dynamics.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                            high
                                                            https://messaging.engagement.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                              high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                high
                                                                https://dev0-api.acompli.net/autodetect9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://www.odwebp.svc.ms9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://api.diagnosticssdf.office.com/v2/feedback9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                  high
                                                                  https://api.powerbi.com/v1.0/myorg/groups9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                    high
                                                                    https://web.microsoftstream.com/video/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                      high
                                                                      https://api.addins.store.officeppe.com/addinstemplate9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://graph.windows.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        high
                                                                        https://dataservice.o365filtering.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://officesetup.getmicrosoftkey.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://analysis.windows.net/powerbi/api9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                          high
                                                                          https://prod-global-autodetect.acompli.net/autodetect9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                            high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                              high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                high
                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                  high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                    high
                                                                                    https://ncus.contentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                      high
                                                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                        high
                                                                                        http://weather.service.msn.com/data.aspx9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                          high
                                                                                          https://apis.live.net/v5.0/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                            high
                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                              high
                                                                                              https://messaging.lifecycle.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                high
                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                  high
                                                                                                  https://management.azure.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                    high
                                                                                                    https://outlook.office365.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                      high
                                                                                                      https://wus2.contentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://incidents.diagnostics.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                        high
                                                                                                        https://clients.config.office.net/user/v1.0/ios9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                          high
                                                                                                          https://insertmedia.bing.office.net/odc/insertmedia9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                            high
                                                                                                            https://o365auditrealtimeingestion.manage.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office365.com/api/v1.0/me/Activities9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                high
                                                                                                                https://api.office.net9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                  high
                                                                                                                  https://incidents.diagnosticssdf.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                    high
                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                      high
                                                                                                                      https://entitlement.diagnostics.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                        high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                          high
                                                                                                                          https://substrate.office.com/search/api/v2/init9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                            high
                                                                                                                            https://outlook.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                              high
                                                                                                                              https://storage.live.com/clientlogs/uploadlocation9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                high
                                                                                                                                https://outlook.office365.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://webshell.suite.office.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://substrate.office.com/search/api/v1/SearchHistory9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://management.azure.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://messaging.lifecycle.office.com/getcustommessage169AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://clients.config.office.net/c2r/v1.0/InteractiveInstallation9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://graph.windows.net/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://api.powerbi.com/beta/myorg/imports9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://devnull.onenote.com9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://messaging.action.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://ncus.pagecontentsync.9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://messaging.office.com/9AD07AEC-2B98-4723-BED2-037E998950B4.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            34.149.204.188
                                                                                                                                                            dullghostwhitetwintext.karewen.repl.coUnited States
                                                                                                                                                            2686ATGS-MMD-ASUSfalse
                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                            Analysis ID:686026
                                                                                                                                                            Start date and time:2022-08-18 04:28:08 +02:00
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 7m 30s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:C1ZGt61uGv.docx
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:25
                                                                                                                                                            Number of new started drivers analysed:1
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal96.expl.evad.winDOCX@3/12@2/1
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .docx
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.76.141, 52.109.88.38, 52.109.76.36, 52.109.12.24, 52.109.76.33
                                                                                                                                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, store-images.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                            No simulations
                                                                                                                                                            No context
                                                                                                                                                            No context
                                                                                                                                                            No context
                                                                                                                                                            No context
                                                                                                                                                            No context
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:Microsoft Access Database
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):528384
                                                                                                                                                            Entropy (8bit):0.47577658796690125
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:z0HGfXArJCKE8SFNfZ0jGBChxQWfwtZ1II+hVZO4Fg:z3fXACdHZZM3Df/zI
                                                                                                                                                            MD5:F1D2BA9091205066A55618062B66050A
                                                                                                                                                            SHA1:41BECA7F78E2F2AEE28F1EF883608BBB0672D36E
                                                                                                                                                            SHA-256:9EB44F67B6945C225F04371D022EA02E1C6761CD5F11630EB3CC5C5F083A62E2
                                                                                                                                                            SHA-512:6A71B7FE43E54FEA2A93710BD3FB540109A0FD0F1C36310F8D6BA107E29D9F5EE3AB996210C4B3B13F978D523A2633B78533C61DF16E6A6DD8CDF215CD0C9E93
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...NqU.7...1.(....`.:{6....Z.C8..3..y[e.|*..|......Q.n...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):36
                                                                                                                                                            Entropy (8bit):2.730660070105504
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                            MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                            SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                            SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                            SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):64
                                                                                                                                                            Entropy (8bit):1.4172860556164644
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:mpl/vaV:mLu
                                                                                                                                                            MD5:13B298EF83EFE8258432E1FFC9D94466
                                                                                                                                                            SHA1:A093E48FD3BACC5E346ADFFC3B803ADB0CEF64C0
                                                                                                                                                            SHA-256:B93F8A727C7BFD26FB41AE610DA83BA8B71C73E8058EF09F2F1B2F702BD71CED
                                                                                                                                                            SHA-512:98C7D1A261AD0AC2F1AA6B03A36B7E37E6B2475A35EE42113F6ED4F52EE9BE6888D5DB29D7B69275A70A86C69C870901517B900A716E9BD38AE71ABDBE38A2BA
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:927537. Admin.
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):148061
                                                                                                                                                            Entropy (8bit):5.358146407288765
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:IcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:r1Q9DQe+zuXYr
                                                                                                                                                            MD5:5C5C8FA149FACF1CBE4B3EBD3382A785
                                                                                                                                                            SHA1:9BBD5D561FE0539C16C2E7EF0D5E6AAE1280DC4C
                                                                                                                                                            SHA-256:F81CA7FA8430DBD1BFF3CBEDC0A28695D47CC80EEE4ACFBFFE96A3A08D24BBC4
                                                                                                                                                            SHA-512:EDD3C0D7F0AE09DCC4DEF8B056346C1358F9FA53F81A6B52116E2D52AEC3434491AC6BBC3CF2037E9D2411D0DDA3C33730AEA5C44B4A51451550B668A062E149
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-18T02:29:04">.. Build: 16.0.15614.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):5901
                                                                                                                                                            Entropy (8bit):4.701941274629396
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
                                                                                                                                                            MD5:2C855A56E062B197D4CC9D021DF71219
                                                                                                                                                            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
                                                                                                                                                            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
                                                                                                                                                            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DA80A60.htm, Author: Joe Security
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):10172
                                                                                                                                                            Entropy (8bit):3.928478624213631
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:q373cifeyUaIWmBJOhTDOj1WN7M60iIiB7rSwVauLM/Myof9NLRgMy7k3e2kW86J:873xeXaIBckry+Ks8D+plS
                                                                                                                                                            MD5:C349F98D0BBE0D72F9A6E34335918207
                                                                                                                                                            SHA1:B2184C336F95E1ED5F338D1B27D06A4F8E1C535F
                                                                                                                                                            SHA-256:8ACC7CBE7BEB283D3908F418FB5390623F1EB46018F426D4911F5515E786CAA5
                                                                                                                                                            SHA-512:A6DE09C1E4B3947EF4B8BF46B14A3E77AFFB6004EDED3560814720B8304542F1722EFEF83502E0532C76B438015B84200302BE5CE5F8C1228A881F050BE8AE5B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:....l...............I...........'...9... EMF.....'..........................8...5.......................................................R...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r....$..`.........../...`.......0...0..................?...........?................l...4........$..0...0...(...0...0..... ......$......................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):5901
                                                                                                                                                            Entropy (8bit):4.701941274629396
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:O/iGBF2nPW5mDwID8qImX1I8vHWYMLJJ2lpyffnbTc7Om/EAEwCgEAKKiSe+0glg:OZ5mDwIDukGTlKEHbTcKCZEwCgEzKiSs
                                                                                                                                                            MD5:2C855A56E062B197D4CC9D021DF71219
                                                                                                                                                            SHA1:C3161D4AF43AD3DA1B08FF367C06D12FA7D483D5
                                                                                                                                                            SHA-256:A6F55957542982348EB412B9B49797E1931183A6BF395016885E1294C5A08DBD
                                                                                                                                                            SHA-512:11B94B5B6E3F4AEC38B15BF73A3B6836955980F5A47293266BB1FAA88005C94EBBF57465D02D8D4CF164E3F28236A7190592CA6E8C3E82A98CBF7708CF1DCDC0
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                            • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Tobias Michalski, Christian Burkard
                                                                                                                                                            • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, Author: Joe Security
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                            IE Cache URL:https://dullghostwhitetwintext.karewen.repl.co/index.html
                                                                                                                                                            Preview:<!doctype html>.<html lang="en">.<head>.<title>.Good thing we disabled macros.</title>.</head>.<body>.<p>.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor...Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit...Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignis
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:31 2022, mtime=Thu Aug 18 01:31:47 2022, atime=Thu Aug 18 01:29:02 2022, length=26614, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1060
                                                                                                                                                            Entropy (8bit):4.697968162284448
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:8D3ZjUhcduCH2zE4ECH0+WpmtGxbKzjEjAJ/Dt3t/DmGK/NDu9u9L44t2Y+xIBj1:8D3sUKxxaoUAJbt3J8DMMk7aB6m
                                                                                                                                                            MD5:59E0ACC4554DE387C6E188AC9F18E591
                                                                                                                                                            SHA1:29DAEE6057B458A415690799D1B379B8AB66590D
                                                                                                                                                            SHA-256:F412CE351B2C63DA034DCCD6B74F314B5B4BC72154AF85FDFD17247A2BED36D1
                                                                                                                                                            SHA-512:08E150A76E5A0E4FA89B147ED68DDB3E839844991B32E781FE20465A990CFC7DD8E8EC4E26A429EDD09BC726CE6F9979DCD76265A26855CC335D434EE8E81347
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.... ....C..u.../........G.....g...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U1m..user.<.......N...U......#J......................,.j.o.n.e.s.....~.1......U2m..Desktop.h.......N...U.......Y..............>.......8.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2..g...U.. .C1ZGT6~1.DOC..P.......U0m.U......P......................_..C.1.Z.G.t.6.1.u.G.v...d.o.c.x.......U...............-.......T...........>.S......C:\Users\user\Desktop\C1ZGt61uGv.docx..&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.1.Z.G.t.6.1.u.G.v...d.o.c.x.........:..,.LB.)...As...`.......X.......927537...........!a..%.H.VZAj...................!a..%.H.VZAj..............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):72
                                                                                                                                                            Entropy (8bit):4.780851828270855
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:bDuMJl+Uqe3TAlmxWtmx3TAlv:bCne3CE3W
                                                                                                                                                            MD5:69F6516C10F77E405479AA56E74F44A0
                                                                                                                                                            SHA1:36194337D22DE7E093B6659C3E3A1C98A2F243CE
                                                                                                                                                            SHA-256:EFAE2CC5C7CBDFF13D4AC0A4FB3F0C0000C52A4E1C9AD499C834F0135A8ECCFB
                                                                                                                                                            SHA-512:3443F8CF1E2804F86512DDDCEC8DF5F0F3683FA2D1E57FC4592E8A13FC7CCC9E402230D71F956DDB8D3873B6825979EB706599CB0F7B2FF32D1A993F31D9451B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:[folders]..Templates.LNK=0..C1ZGt61uGv.LNK=0..[misc]..C1ZGt61uGv.LNK=0..
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.664661183360374
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Rl/Zdal6/XxUcrz1l5z14jZRest:RtZMl6/m41l5zmF4st
                                                                                                                                                            MD5:1D0F7C6E4240901C9BABDE8067DDC94A
                                                                                                                                                            SHA1:74559DEAC17CBF1DED4DD89B48E64331A2F701B4
                                                                                                                                                            SHA-256:FF53715400739909187E1CDB686AFD0092F12B48E2A7DD2974CE5011411A483E
                                                                                                                                                            SHA-512:B2922955A42F3C6298AC1C845361363D6758EAD7430FDDC6FFF936D508435340063D23981EE9A8F44A8740364412D7C337B3042C55C9135782539E4AC0758CD1
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h...........xF.........&....................dF..............................`F.........&......
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):20
                                                                                                                                                            Entropy (8bit):2.8954618442383215
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                            MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                            SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                            SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                            SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:..p.r.a.t.e.s.h.....
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.664661183360374
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Rl/Zdal6/XxUcrz1l5z14jZRest:RtZMl6/m41l5zmF4st
                                                                                                                                                            MD5:1D0F7C6E4240901C9BABDE8067DDC94A
                                                                                                                                                            SHA1:74559DEAC17CBF1DED4DD89B48E64331A2F701B4
                                                                                                                                                            SHA-256:FF53715400739909187E1CDB686AFD0092F12B48E2A7DD2974CE5011411A483E
                                                                                                                                                            SHA-512:B2922955A42F3C6298AC1C845361363D6758EAD7430FDDC6FFF936D508435340063D23981EE9A8F44A8740364412D7C337B3042C55C9135782539E4AC0758CD1
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:.pratesh................................................p.r.a.t.e.s.h...........xF.........&....................dF..............................`F.........&......
                                                                                                                                                            File type:Microsoft Word 2007+
                                                                                                                                                            Entropy (8bit):7.316883678675453
                                                                                                                                                            TrID:
                                                                                                                                                            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                            • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                            File name:C1ZGt61uGv.docx
                                                                                                                                                            File size:26614
                                                                                                                                                            MD5:98998af843c2c938c079a102abe6c73d
                                                                                                                                                            SHA1:b1a1dda90b3df0ba5f23430a6c55c48a9c3dbe9d
                                                                                                                                                            SHA256:b0cfd511498cbaed084fa622cfeb1a07de7478205cbff58cb40cb89091813593
                                                                                                                                                            SHA512:4b3fee7cddc41a3f742d2ca3bcc6db766e43d183b926153927ec5591d73cce2d0cf5b4ade9d0f010bf6b104f463d44e383e423984d0bf5684e58971dd0665ee7
                                                                                                                                                            SSDEEP:384:aW5NndAzG46H8kwV1xEw2imBTQUhGnhHpAKIQqRrINxt/ZtNNiW2+30Ony/6MY:awlO1Ew2HGHiKpqRrSxllN2+3By/e
                                                                                                                                                            TLSH:DCC2C057D12B5C75CC6A4EBCD82C8ABCEA9430D0F9151187244DE6C9B24BD73133EA1A
                                                                                                                                                            File Content Preview:PK..........!..l.$u...........[Content_Types].xml ...(.........................................................................................................................................................................................................
                                                                                                                                                            Icon Hash:74fcd0d2d6d6d0cc
                                                                                                                                                            Document Type:OpenXML
                                                                                                                                                            Number of OLE Files:1
                                                                                                                                                            Has Summary Info:
                                                                                                                                                            Application Name:
                                                                                                                                                            Encrypted Document:False
                                                                                                                                                            Contains Word Document Stream:True
                                                                                                                                                            Contains Workbook/Book Stream:False
                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                            Contains ObjectPool Stream:False
                                                                                                                                                            Flash Objects Count:0
                                                                                                                                                            Contains VBA Macros:False
                                                                                                                                                            Title:
                                                                                                                                                            Subject:
                                                                                                                                                            Author:Karewen .
                                                                                                                                                            Keywords:
                                                                                                                                                            Template:Normal.dotm
                                                                                                                                                            Last Saved By:Karewen .
                                                                                                                                                            Revion Number:2
                                                                                                                                                            Total Edit Time:0
                                                                                                                                                            Create Time:2022-06-03T10:03:00Z
                                                                                                                                                            Last Saved Time:2022-06-03T10:03:00Z
                                                                                                                                                            Number of Pages:1
                                                                                                                                                            Number of Words:3
                                                                                                                                                            Number of Characters:18
                                                                                                                                                            Creating Application:Microsoft Office Word
                                                                                                                                                            Security:0
                                                                                                                                                            Number of Lines:1
                                                                                                                                                            Number of Paragraphs:1
                                                                                                                                                            Thumbnail Scaling Desired:false
                                                                                                                                                            Company:
                                                                                                                                                            Contains Dirty Links:false
                                                                                                                                                            Shared Document:false
                                                                                                                                                            Changed Hyperlinks:false
                                                                                                                                                            Application Version:16.0000
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x1CompObj
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:76
                                                                                                                                                            Entropy:3.093449526469053
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . 9 q . . . . . . . . . . . .
                                                                                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x1Ole10Native
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:2240124
                                                                                                                                                            Entropy:0.005070123031127669
                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                            Data ASCII:x . " . . . N e w B i t m a p i m a g e . b m p . D : \\ S a y a a r \\ P e r s o n a l \\ C o d i n g \\ M S D T Z e r o - D a y \\ M S F o l l i n a \\ N e w B i t m a p i m a g e . b m p . . . . . ^ . . . C : \\ U s e r s \\ k a r e w \\ A p p D a t a \\ L o c a l \\ T e m p \\ { 4 9 2 A 0 5 A 6 - 0 F C E - 4 3 E 2 - A F E 7 - D D 9 A E A 8 4 F C 1 B } \\ N e w B i t m a p i m a g e . b m p . 6 , " . B M 6 , " . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . , " . . . . . . . . . . . . . . . . .
                                                                                                                                                            Data Raw:78 2e 22 00 02 00 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 44 3a 5c 53 61 79 61 61 72 5c 50 65 72 73 6f 6e 61 6c 5c 43 6f 64 69 6e 67 5c 4d 53 44 54 20 5a 65 72 6f 2d 44 61 79 5c 4d 53 46 6f 6c 6c 69 6e 61 5c 4e 65 77 20 42 69 74 6d 61 70 20 69 6d 61 67 65 2e 62 6d 70 00 00 00 03 00 5e 00 00 00 43 3a 5c 55 73 65 72 73 5c 6b 61 72 65 77 5c 41 70 70 44 61 74 61
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x3EPRINT
                                                                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                            Stream Size:10172
                                                                                                                                                            Entropy:3.928478624213631
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . l . . . . . . . . . . . . . . I . . . . . . . . . . . ' . . . 9 . . . E M F . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . R . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . e . g . o . e . . U . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                            Data Raw:01 00 00 00 6c 00 00 00 18 00 00 00 00 00 00 00 d7 00 00 00 49 00 00 00 00 00 00 00 00 00 00 00 27 0f 00 00 39 05 00 00 20 45 4d 46 00 00 01 00 bc 27 00 00 0d 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 35 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 b7 04 00 b0 a7 02 00 0a 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x3ObjInfo
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:6
                                                                                                                                                            Entropy:1.2516291673878228
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . .
                                                                                                                                                            Data Raw:00 00 03 00 0d 00
                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                            35.186.245.55192.168.2.22443491762025010 08/18/22-04:23:24.931708TCP2025010ET TROJAN Powershell commands sent B64 14434917635.186.245.55192.168.2.22
                                                                                                                                                            35.186.245.55192.168.2.22443491812025010 08/18/22-04:23:28.806682TCP2025010ET TROJAN Powershell commands sent B64 14434918135.186.245.55192.168.2.22
                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Aug 18, 2022 04:29:08.099875927 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.099941015 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.100186110 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.109353065 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.109415054 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.270021915 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.270116091 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.274015903 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.274029970 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.274280071 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.277177095 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.323370934 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.548890114 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.549051046 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.549146891 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.576126099 CEST49713443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.576155901 CEST4434971334.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.719228029 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.719273090 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.719378948 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.720356941 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.720372915 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.875041962 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.878197908 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.878227949 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:08.880148888 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:08.880165100 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:09.117562056 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:09.117639065 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:09.117698908 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:09.117733002 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:09.117752075 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:09.117762089 CEST49714443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:09.117769003 CEST4434971434.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.157325983 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.157398939 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.157541990 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.157762051 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.157784939 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.319632053 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.320421934 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.320453882 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.322175026 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.322185993 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.601583958 CEST4434971534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.601955891 CEST49715443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.825898886 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.825948000 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.826054096 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.826745033 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:12.826772928 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:13.097120047 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:13.097235918 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:13.109215021 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:13.109241009 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:13.109560966 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:13.109628916 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:13.110523939 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:29:13.151379108 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.476154089 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.476254940 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.476346016 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.476383924 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.476397038 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.476448059 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.477057934 CEST4434971634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.477197886 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.478065014 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.478091955 CEST49716443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.546355963 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.546401978 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.546539068 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.546850920 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.546869040 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.705864906 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.706513882 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.706535101 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.708982944 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:43.708997011 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.982458115 CEST4434976534.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:43.982800961 CEST49765443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.019804001 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.019845963 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.020030975 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.020313025 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.020324945 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.177850962 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.178363085 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.178391933 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.179773092 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.179780006 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.603888035 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.604222059 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.604403973 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.604461908 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.604480028 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.604510069 CEST49766443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.604518890 CEST4434976634.149.204.188192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:31:44.624933004 CEST49767443192.168.2.434.149.204.188
                                                                                                                                                            Aug 18, 2022 04:31:44.624974966 CEST4434976734.149.204.188192.168.2.4
                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Aug 18, 2022 04:29:08.064887047 CEST6100753192.168.2.48.8.8.8
                                                                                                                                                            Aug 18, 2022 04:29:08.082041979 CEST53610078.8.8.8192.168.2.4
                                                                                                                                                            Aug 18, 2022 04:29:12.806756973 CEST6112453192.168.2.48.8.8.8
                                                                                                                                                            Aug 18, 2022 04:29:12.824287891 CEST53611248.8.8.8192.168.2.4
                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Aug 18, 2022 04:29:08.064887047 CEST192.168.2.48.8.8.80x6330Standard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
                                                                                                                                                            Aug 18, 2022 04:29:12.806756973 CEST192.168.2.48.8.8.80x188bStandard query (0)dullghostwhitetwintext.karewen.repl.coA (IP address)IN (0x0001)
                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Aug 18, 2022 04:29:08.082041979 CEST8.8.8.8192.168.2.40x6330No error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
                                                                                                                                                            Aug 18, 2022 04:29:12.824287891 CEST8.8.8.8192.168.2.40x188bNo error (0)dullghostwhitetwintext.karewen.repl.co34.149.204.188A (IP address)IN (0x0001)
                                                                                                                                                            • dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.44971334.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:29:08 UTC0OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:29:08 UTC0INHTTP/1.1 404 Not Found
                                                                                                                                                            Content-Length: 207
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:29:08 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757733; includeSubDomains
                                                                                                                                                            Connection: close
                                                                                                                                                            2022-08-18 02:29:08 UTC0INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            1192.168.2.44971434.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:29:08 UTC0OUTHEAD /index.html HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:29:09 UTC1INHTTP/1.1 200 OK
                                                                                                                                                            Content-Length: 5901
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:29:09 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757733; includeSubDomains
                                                                                                                                                            Connection: close


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            2192.168.2.44971534.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:29:12 UTC1OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:29:12 UTC1INHTTP/1.1 404 Not Found
                                                                                                                                                            Content-Length: 207
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:29:12 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757729; includeSubDomains
                                                                                                                                                            Connection: close
                                                                                                                                                            2022-08-18 02:29:12 UTC2INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            3192.168.2.44971634.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:29:13 UTC2OUTGET /index.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-08-18 02:31:43 UTC2INHTTP/1.1 502 Bad Gateway
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Strict-Transport-Security: max-age=7757728; includeSubDomains
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:43 GMT
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Connection: close
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            2022-08-18 02:31:43 UTC3INData Raw: 38 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 55 6e 61 62 6c 65 20 54 6f 20 57 61 6b 65 20 55 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 0a 20 20 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 49 42 4d 2b 50 6c 65 78 2b 53 61 6e 73 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a 20 20 20 20 20
                                                                                                                                                            Data Ascii: 800<!DOCTYPE html><html lang="en"> <head> <title>Unable To Wake Up</title> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans"> <style> body { margin: 0; height: 100vh;
                                                                                                                                                            2022-08-18 02:31:43 UTC3INData Raw: 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6d 65 73 73 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 65 76 61 6c 2d 62 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 34 65 6d 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 73 6f 6c 65 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 65 31 36 32 38 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c
                                                                                                                                                            Data Ascii: } @media (max-width: 500px) { .message { flex-direction: column; align-items: center; } } .eval-bot { margin: 4em; } .console { background-color: #0e1628; col
                                                                                                                                                            2022-08-18 02:31:43 UTC6INData Raw: 35 2e 33 33 34 20 31 31 35 2e 34 30 39 20 32 34 31 2e 32 31 31 20 31 31 37 2e 38 34 39 4c 32 34 31 2e 31 39 31 20 31 31 38 2e 30 33 39 43 32 32 36 2e 34 33 36 20 31 31 36 2e 35 34 31 20 32 31 34 2e 38 37 34 20 39 34 2e 35 39 30 31 20 32 31 35 2e 30 37 38 20 36 37 2e 38 34 37 31 43 32 31 35 2e 32 38 31 20 34 31 2e 30 39 36 39 20 32 32 37 2e 31 38 33 20 31 39 2e 33 35 30 35 20 32 34 31 2e 39 35 38 20 31 38 2e 31 32 33 32 4c 32 34 31 2e 39 37 32 20 31 38 2e 33 31 33 32 56 31 38 2e 33 31 33 32 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 37 37 45 41 39 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                                                                                                                            Data Ascii: 5.334 115.409 241.211 117.849L241.191 118.039C226.436 116.541 214.874 94.5901 215.078 67.8471C215.281 41.0969 227.183 19.3505 241.958 18.1232L241.972 18.3132V18.3132Z" fill="#77EA94" /> <path d="
                                                                                                                                                            2022-08-18 02:31:43 UTC6INData Raw: 20 31 32 2e 32 35 30 32 43 32 32 33 2e 32 38 34 20 31 36 2e 35 30 31 36 20 32 31 31 2e 36 34 37 20 33 39 2e 37 31 36 33 20 32 31 31 2e 34 33 20 36 37 2e 38 31 37 39 43 32 31 31 2e 34 33 20 36 38 2e 35 34 38 34 20 32 31 31 2e 34 33 20 36 39 2e 32 37 31 36 20 32 31 31 2e 34 33 37 20 37 30 2e 30 30 32 48 32 31 31 2e 33 30 37 4c 31 39 33 2e 37 32 37 20 37 30 2e 33 34 35 34 48 31 39 33 2e 36 35 39 43 31 39 33 2e 36 38 36 20 36 39 2e 34 35 34 32 20 31 39 33 2e 37 30 36 20 36 38 2e 35 35 35 37 20 31 39 33 2e 37 31 33 20 36 37 2e 36 35 37 32 43 31 39 33 2e 38 32 39 20 35 32 2e 31 33 34 35 20 31 39 30 2e 34 33 39 20 33 38 2e 30 34 33 35 20 31 38 34 2e 38 35 35 20 32 37 2e 37 38 30 32 4c 31 38 35 2e 30 37 32 20 32 37 2e 36 34 31 34 4c 31 39 33 2e 35 38 34 20 32 36
                                                                                                                                                            Data Ascii: 12.2502C223.284 16.5016 211.647 39.7163 211.43 67.8179C211.43 68.5484 211.43 69.2716 211.437 70.002H211.307L193.727 70.3454H193.659C193.686 69.4542 193.706 68.5557 193.713 67.6572C193.829 52.1345 190.439 38.0435 184.855 27.7802L185.072 27.6414L193.584 26


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            4192.168.2.44976534.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:43 UTC11OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:31:43 UTC11INHTTP/1.1 404 Not Found
                                                                                                                                                            Content-Length: 207
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:43 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757578; includeSubDomains
                                                                                                                                                            Connection: close
                                                                                                                                                            2022-08-18 02:31:43 UTC11INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            5192.168.2.44976634.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:44 UTC12OUTHEAD /index.html HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:31:44 UTC12INHTTP/1.1 200 OK
                                                                                                                                                            Content-Length: 5901
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:44 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757577; includeSubDomains
                                                                                                                                                            Connection: close


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            6192.168.2.44976734.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:44 UTC12OUTOPTIONS / HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            User-Agent: Microsoft Office Word 2014
                                                                                                                                                            X-Office-Major-Version: 16
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-FeatureVersion: 1
                                                                                                                                                            X-MSGETWEBURL: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            2022-08-18 02:31:45 UTC13INHTTP/1.1 404 Not Found
                                                                                                                                                            Content-Length: 207
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:44 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757577; includeSubDomains
                                                                                                                                                            Connection: close
                                                                                                                                                            2022-08-18 02:31:45 UTC13INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                                                                                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            7192.168.2.44976834.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:45 UTC13OUTGET /index.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-08-18 02:31:45 UTC13INHTTP/1.1 200 OK
                                                                                                                                                            Content-Length: 5901
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:45 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757576; includeSubDomains
                                                                                                                                                            Connection: close
                                                                                                                                                            2022-08-18 02:31:45 UTC14INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0a 47 6f 6f 64 20 74 68 69 6e 67 20 77 65 20 64 69 73 61 62 6c 65 64 20 6d 61 63 72 6f 73 0a 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 3e 0a 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69 6e 67 20 65 6c 69 74 2e 20 51 75 69 73 71 75 65 20 70 65 6c 6c 65 6e 74 65 73 71 75 65 20 65 67 65 73 74 61 73 20 6e 75 6c 6c 61 20 69 6e 20 64 69 67 6e 69 73 73 69 6d 2e 20 4e 61 6d 20 69 64 20 6d 61 75 72 69 73 20 6c 6f 72 65 6d 2e 20 4e 75 6e 63 20 73 75 73 63 69 70 69 74 20 69 64 20 6d 61 67 6e 61
                                                                                                                                                            Data Ascii: <!doctype html><html lang="en"><head><title>Good thing we disabled macros</title></head><body><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna
                                                                                                                                                            2022-08-18 02:31:45 UTC15INData Raw: 2c 20 73 65 6d 70 65 72 20 74 75 72 70 69 73 20 75 74 2c 20 67 72 61 76 69 64 61 20 6c 6f 72 65 6d 2e 20 50 72 6f 69 6e 20 61 72 63 75 20 6c 69 67 75 6c 61 2c 20 76 65 6e 65 6e 61 74 69 73 20 61 6c 69 71 75 61 6d 20 74 72 69 73 74 69 71 75 65 20 75 74 2c 20 70 72 65 74 69 75 6d 20 71 75 69 73 20 76 65 6c 69 74 2e 0a 0a 50 68 61 73 65 6c 6c 75 73 20 74 72 69 73 74 69 71 75 65 20 6f 72 63 69 20 65 6e 69 6d 2c 20 61 74 20 61 63 63 75 6d 73 61 6e 20 76 65 6c 69 74 20 69 6e 74 65 72 64 75 6d 20 65 74 2e 20 41 65 6e 65 61 6e 20 6e 65 63 20 74 72 69 73 74 69 71 75 65 20 61 6e 74 65 2c 20 64 69 67 6e 69 73 73 69 6d 20 63 6f 6e 76 61 6c 6c 69 73 20 6c 69 67 75 6c 61 2e 20 41 65 6e 65 61 6e 20 71 75 69 73 20 66 65 6c 69 73 20 64 6f 6c 6f 72 2e 20 49 6e 20 71 75 69
                                                                                                                                                            Data Ascii: , semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit.Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In qui
                                                                                                                                                            2022-08-18 02:31:45 UTC17INData Raw: 73 2c 20 74 75 72 70 69 73 20 64 6f 6c 6f 72 20 65 6c 65 69 66 65 6e 64 20 6d 61 73 73 61 2c 20 69 6e 20 6d 61 78 69 6d 75 73 20 73 61 70 69 65 6e 20 64 75 69 20 65 74 20 74 6f 72 74 6f 72 2e 20 51 75 69 73 71 75 65 20 76 61 72 69 75 73 20 65 6e 69 6d 20 73 65 64 20 65 6e 69 6d 20 76 65 6e 65 6e 61 74 69 73 20 74 65 6d 70 6f 72 2e 20 50 72 61 65 73 65 6e 74 20 71 75 69 73 20 76 6f 6c 75 74 70 61 74 20 6c 6f 72 65 6d 2e 20 50 65 6c 6c 65 6e 74 65 73 71 75 65 20 61 63 20 76 65 6e 65 6e 61 74 69 73 20 6c 61 63 75 73 2c 20 76 69 74 61 65 20 63 6f 6d 6d 6f 64 6f 20 6f 64 69 6f 2e 20 53 65 64 20 69 6e 20 6d 65 74 75 73 20 61 74 20 6c 69 62 65 72 6f 20 76 69 76 65 72 72 61 20 6d 6f 6c 6c 69 73 20 73 65 64 20 76 69 74 61 65 20 6e 69 62 68 2e 20 53 65 64 20 61 74
                                                                                                                                                            Data Ascii: s, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at
                                                                                                                                                            2022-08-18 02:31:45 UTC17INData Raw: 20 71 75 69 73 20 65 6c 65 69 66 65 6e 64 20 6e 65 63 2c 20 73 75 73 63 69 70 69 74 20 73 69 74 20 61 6d 65 74 20 6d 61 73 73 61 2e 20 56 69 76 61 6d 75 73 20 69 6e 20 6c 65 63 74 75 73 20 65 72 61 74 2e 20 4e 75 6c 6c 61 20 66 61 63 69 6c 69 73 69 2e 20 56 69 76 61 6d 75 73 20 73 65 64 20 6d 61 73 73 61 20 71 75 69 73 20 61 72 63 75 20 65 67 65 73 74 61 73 20 76 65 68 69 63 75 6c 61 2e 20 4e 75 6c 6c 61 20 6d 61 73 73 61 20 6c 6f 72 65 6d 2c 20 74 69 6e 63 69 64 75 6e 74 20 73 65 64 20 66 65 75 67 69 61 74 20 71 75 69 73 2c 20 66 61 75 63 69 62 75 73 20 61 20 72 69 73 75 73 2e 20 53 65 64 20 76 69 76 65 72 72 61 20 74 75 72 70 69 73 20 73 69 74 20 61 6d 65 74 20 6d 65 74 75 73 20 69 61 63 75 6c 69 73 20 66 69 6e 69 62 75 73 2e 0a 0a 4d 6f 72 62 69 20 63
                                                                                                                                                            Data Ascii: quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus.Morbi c


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            8192.168.2.44976934.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:45 UTC20OUTHEAD /index.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-08-18 02:31:46 UTC20INHTTP/1.1 200 OK
                                                                                                                                                            Content-Length: 5901
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:46 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757576; includeSubDomains
                                                                                                                                                            Connection: close


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            9192.168.2.44977034.149.204.188443C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2022-08-18 02:31:46 UTC20OUTHEAD /index.html HTTP/1.1
                                                                                                                                                            Authorization: Bearer
                                                                                                                                                            X-MS-CookieUri-Requested: t
                                                                                                                                                            X-IDCRL_ACCEPTED: t
                                                                                                                                                            User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                            Host: dullghostwhitetwintext.karewen.repl.co
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2022-08-18 02:31:46 UTC20INHTTP/1.1 200 OK
                                                                                                                                                            Content-Length: 5901
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Date: Thu, 18 Aug 2022 02:31:46 GMT
                                                                                                                                                            Expect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"
                                                                                                                                                            Replit-Cluster: global
                                                                                                                                                            Server: Werkzeug/2.1.2 Python/3.8.12
                                                                                                                                                            Strict-Transport-Security: max-age=7757575; includeSubDomains
                                                                                                                                                            Connection: close


                                                                                                                                                            Click to jump to process

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:04:29:02
                                                                                                                                                            Start date:18/08/2022
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                            Imagebase:0xd60000
                                                                                                                                                            File size:1937688 bytes
                                                                                                                                                            MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Target ID:1
                                                                                                                                                            Start time:04:29:08
                                                                                                                                                            Start date:18/08/2022
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                            Imagebase:0x940000
                                                                                                                                                            File size:466688 bytes
                                                                                                                                                            MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            No disassembly