Edit tour

Windows Analysis Report
YYYY-NNN AUDIT DETAIL REPORT .docx

Overview

General Information

Sample name:	YYYY-NNN AUDIT DETAIL REPORT .docx
Analysis ID:	1589950
MD5:	0475b8190723d39625ff0f476d11a9ea
SHA1:	6a8ff09cad3b66a9b69a289df76e729580c4135b
SHA256:	2c0b31d47ed0d44046c1a010cc26098507147783bd49c76fbf7daf678ce4343b
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Suricata IDS alerts for network traffic

Contains an external reference to another file

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64_ra

WINWORD.EXE (PID: 6372 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\YYYY-NNN AUDIT DETAIL REPORT .docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

chrome.exe (PID: 1032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1960,i,9699052757452476404,18213265251403622644,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49699, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 6372, Protocol: tcp, SourceIp: 159.60.138.212, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T11:11:22.324249+0100	2028371	3	Unknown Traffic	192.168.2.16	49699	159.60.138.212	443	TCP
2025-01-13T11:11:24.661868+0100	2028371	3	Unknown Traffic	192.168.2.16	49707	159.60.138.212	443	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T11:11:23.888972+0100	1810005	1	Potentially Bad Traffic	192.168.2.16	49705	159.60.138.212	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YYYY-NNN AUDIT DETAIL REPORT .docx

Avira: detected

Multi AV Scanner detection for submitted file

Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Virustotal: Detection: 11%			Perma Link
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	ReversingLabs: Detection: 15%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 159.60.138.212:443 -> 192.168.2.16:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.60.138.212:443 -> 192.168.2.16:49705 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 27MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.16:49705 -> 159.60.138.212:443

Source: global traffic

TCP traffic: 192.168.2.16:58948 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: TWC-11351-NORTHEASTUS TWC-11351-NORTHEASTUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49699 -> 159.60.138.212:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49707 -> 159.60.138.212:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /pages/prod/wal/audimex_addin.dot HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: audimex.nexi.itConnection: Keep-AliveCookie: 0a3d03=u6JiKlCSmktdiIoS71wkRwRm2Ai3I7z6w1P2bTBThFIkOoI5MUcPu7NnJrnySq1JiviEyVB45u8tmJWSmJ5xwhiz9I6mYWBN4MqS+iP/YW6vx0SpbqdEQuy7kjTC4J1FN6DX78RdOCTlnJQ0BJZsbRwIhziba5bCNkOJcS//CNJv7aA1

Source: global traffic

DNS traffic detected: DNS query: audimex.nexi.it

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 159.60.138.212:443 -> 192.168.2.16:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.60.138.212:443 -> 192.168.2.16:49705 version: TLS 1.2

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: screenshot

OCR: enable macros. Help CHIEF AUDIT EXECUTIVE: AUDIT DEPT. AUDIT TEAM EXECUTIVE SUMMARY Audit Scope and

Source: classification engine

Classification label: mal76.evad.winDOCX@15/4@1/3

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$YY-NNN AUDIT DETAIL REPORT .docx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{2E735720-8561-4F4E-A00F-CD1082DA26C7} - OProcSessId.dat

Jump to behavior

Source: YYYY-NNN AUDIT DETAIL REPORT .docx

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Virustotal: Detection: 11%
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\YYYY-NNN AUDIT DETAIL REPORT .docx" /o ""
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1960,i,9699052757452476404,18213265251403622644,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1960,i,9699052757452476404,18213265251403622644,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = word/_rels/header2.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = word/comments.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/item2.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = [trash]/0000.dat
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/item4.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/itemProps4.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/itemProps5.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = word/commentsExtended.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = word/people.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = docProps/custom.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/_rels/item4.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/_rels/item5.xml.rels
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/item3.xml
Source: YYYY-NNN AUDIT DETAIL REPORT .docx	Initial sample: OLE zip file path = customXml/item5.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: YYYY-NNN AUDIT DETAIL REPORT .docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://audimex.nexi.it/pages/prod/wal/audimex_addin.dot

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YYYY-NNN AUDIT DETAIL REPORT .docx	11%	Virustotal		Browse
YYYY-NNN AUDIT DETAIL REPORT .docx	16%	ReversingLabs	Document.Exploit.TempInj
YYYY-NNN AUDIT DETAIL REPORT .docx	100%	Avira	EXP/TempInj.BA

Source	Detection	Scanner	Label	Link
https://audimex.nexi.it/pages/prod/wal/audimex_addin.dot	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
ves-io-f35000c6-187d-4400-baeb-13d55394e070.ac.vh.ves.io	159.60.138.212	true	true	unknown
audimex.nexi.it	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://audimex.nexi.it/pages/prod/wal/audimex_addin.dot	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
159.60.138.212	ves-io-f35000c6-187d-4400-baeb-13d55394e070.ac.vh.ves.io	Netherlands		11351	TWC-11351-NORTHEASTUS	true
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589950
Start date and time:	2025-01-13 11:10:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YYYY-NNN AUDIT DETAIL REPORT .docx
Detection:	MAL
Classification:	mal76.evad.winDOCX@15/4@1/3
Cookbook Comments:	Found application associated with file extension: .docx

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.109.68.129, 52.113.194.132, 199.232.210.172, 184.28.90.27, 40.79.173.41, 52.111.243.41, 52.111.243.42, 52.111.243.43, 52.111.243.40, 2.20.245.216, 2.20.245.225, 172.217.18.3, 184.28.89.167, 172.217.18.110, 64.233.167.84, 142.250.184.206, 52.111.236.32, 52.111.236.34, 52.111.236.35, 52.111.236.33, 2.21.65.130, 2.21.65.149, 23.200.88.61, 23.200.88.74, 2.16.164.40, 2.16.164.34, 2.16.164.33, 2.16.164.89, 88.221.110.138, 88.221.110.227, 40.126.32.74, 4.245.163.56, 13.107.253.45
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, a1847.dscg2.akamai.net, e11290.dspg.akamaiedge.net, clients2.google.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, wu-b-net.trafficmanager.net, ecs.office.com, fs.microsoft.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, nleditor.osi.office.net, s-0005.s-msedge.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, clients.l.google.com, europe.configsvc1.live.com.akadns.net, binaries.templates.cdn.office.net.edgesuite.net, support.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, go.microsoft.com, redirector.gvt1.com, prod.fs.microso
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Nexi" ] }
	{ "brands": [ "Nexi" ] }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Keep an eye on it", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "AUDIT REPORT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft", "Word" ] }
	{ "brands": [ "Microsoft", "Word" ] }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": [ "Microsoft", "Word" ] }
	{ "brands": [ "Microsoft", "Word" ] }
URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [ "Microsoft", "Word" ] }
	{ "brands": [ "Microsoft", "Word" ] }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "Nexi" }
	{ "brands": "Nexi" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://aeromorning.com	Get hash	malicious	Unknown	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	Get hash	malicious	Unknown	Browse
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse
	http://satelite.nv-ec.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse
	https://support.te-wt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse
	https://www.flndmy.er-xu.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse
	https://www.support.ue-vt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	1972921391166218927.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	29522576223272839.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	1329220172182926612.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	29112223682907312977.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	179861427815317256.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	16910148382611315301.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	199.232.214.172
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	199.232.210.172
s-part-0017.t-0009.fb-t-msedge.net	setup64v.2.9.7.msi	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	VlY57c5AF4.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	wN7EPNiHSM.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	32474162872806629906.js	Get hash	malicious	Strela Downloader	Browse	13.107.253.45
	0Ie2kYdPTW.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	97q26I8OtN.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	nkCBRtd25H.exe	Get hash	malicious	Unknown	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TWC-11351-NORTHEASTUS	http://aeromorning.com	Get hash	malicious	Unknown	Browse	98.82.157.137
	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	98.66.104.159
	6.elf	Get hash	malicious	Unknown	Browse	98.84.28.81
	https://informed.deliveryerz.top/us/	Get hash	malicious	Unknown	Browse	98.80.39.185
	https://informed.deliveryerw.top/us/	Get hash	malicious	Unknown	Browse	98.80.39.185
	http://ledger-recovery.co.uk/	Get hash	malicious	Unknown	Browse	98.84.237.203
	res.mips.elf	Get hash	malicious	Unknown	Browse	137.36.30.213
	6.elf	Get hash	malicious	Unknown	Browse	159.57.66.185
	4.elf	Get hash	malicious	Unknown	Browse	67.253.111.1
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	98.82.157.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	msit.exe	Get hash	malicious	LummaC Stealer	Browse	159.60.138.212
	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	159.60.138.212
	WSLRT.exe	Get hash	malicious	LummaC Stealer	Browse	159.60.138.212
	msit.msi	Get hash	malicious	LummaC Stealer	Browse	159.60.138.212
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	159.60.138.212
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	159.60.138.212
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	159.60.138.212
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
37f463bf4616ecd445d4a1937da06e19	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	159.60.138.212
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	159.60.138.212
	13478674376-78423498.01.exe	Get hash	malicious	Unknown	Browse	159.60.138.212
	Setup.msi	Get hash	malicious	Unknown	Browse	159.60.138.212
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	159.60.138.212
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	159.60.138.212

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Local\Temp\~DFA7307C5095550620.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD6C2ACE74E041A2E.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$YY-NNN AUDIT DETAIL REPORT .docx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.755467618635772
Encrypted:	false
SSDEEP:	3:TCZJG7CGQelzrDA1A+lkrJAcUH5llUDvk9P8a5ktP:OZveZDzdAZhUDvk9Ea6tP
MD5:	DFA69BA0151FC9A4954FBF90EFF19BE9
SHA1:	89A1EA1C15F88646F024E18EDB12FF4ECC2E3FD6
SHA-256:	C0E73C74CFF7197F0C22CAB0CFF1EA4014906FDC3565B2D9AE6730DD28E333EF
SHA-512:	C6ADFBEC83CB4B7FE9D2CAE0E0A8A7D65C97C8605D95DB303A5E410838DE6F18F88BAC6CF24763CB48A7F05BC59DA591680A9F0B440123CC721731A884A9E1E6
Malicious:	false
Preview:	.............................................................W...(O@....^.....V...G.Q.;...B@.i*Cy.....>..\.-...N..AK.l...q..e.......J{.l.O.}..j....xUO..=.j

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.7905210436397505
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	YYYY-NNN AUDIT DETAIL REPORT .docx
File size:	111'689 bytes
MD5:	0475b8190723d39625ff0f476d11a9ea
SHA1:	6a8ff09cad3b66a9b69a289df76e729580c4135b
SHA256:	2c0b31d47ed0d44046c1a010cc26098507147783bd49c76fbf7daf678ce4343b
SHA512:	db6347f4c7f8b1ed41b4d1e2498ed2b1c873d6091f2c9cb05a87954fa7fc911efc4419f3952a265497183832c2b5b60c15aa6c7da2aba8c3ff557efc874c50ae
SSDEEP:	1536:teZ3dqp8LDF0POlO+/IK85309yRzA9H2YfbwJQ8TVEt+okwsQVx2XUK1koAlRk9:tcNqePF0ml80IzEHFbwJQ8TFYdKvERM
TLSH:	13B3F128D814B82DC6232E78D46D44F4B3554902D75BAA1B7C18FBAC9B843CB963E7C7
File Content Preview:	PK..........!..m..............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	35e5c48caa8a8599

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "YYYY-NNN AUDIT DETAIL REPORT .docx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T11:11:22.324249+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.16	49699	159.60.138.212	443	TCP
2025-01-13T11:11:23.888972+0100	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.16	49705	159.60.138.212	443	TCP
2025-01-13T11:11:24.661868+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.16	49707	159.60.138.212	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 11:11:20.455303907 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:20.758094072 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:21.361165047 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:21.561451912 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:21.561486959 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:21.561553001 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:21.561989069 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:21.561995983 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.324100971 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.324249029 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.326896906 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.326905012 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.327292919 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.328875065 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.375323057 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.572109938 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:22.707459927 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.707602978 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.707693100 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.707693100 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.707715988 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.707746983 CET	49699	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.707752943 CET	443	49699	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.725179911 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.725218058 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:22.725286961 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.725917101 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:22.725934982 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.016113043 CET	49689	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:23.499000072 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.499104977 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.513653994 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.513703108 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.514664888 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.514772892 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.516051054 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.563327074 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.889077902 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.889276981 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.889358044 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.890753984 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.890778065 CET	443	49705	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.890800953 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.890829086 CET	49705	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.902786970 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.902833939 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:23.902931929 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.903203011 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:23.903222084 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:24.661248922 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:24.661868095 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:24.661905050 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:24.670655012 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:24.670663118 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:24.983155966 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:25.051531076 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.051582098 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.051718950 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.051745892 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.051759005 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.051759005 CET	49707	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.051772118 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.051779032 CET	443	49707	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.087558031 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.087600946 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.087691069 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.087863922 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.087877989 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.893654108 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.893737078 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.894237041 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.894247055 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:25.894514084 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:25.894517899 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.251847029 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.251934052 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.336518049 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.336551905 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.336600065 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.336615086 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.336637020 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.336678028 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.336697102 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.354425907 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.354470968 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.354513884 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.354521036 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.354551077 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.354569912 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.423233986 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.423296928 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.423330069 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.423345089 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.423361063 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.423427105 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.440833092 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.440901041 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.440928936 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.440943003 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.440958023 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.440965891 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.440984011 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.442544937 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.442588091 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.442614079 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.442621946 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.442641973 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.442661047 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.444277048 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.444327116 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.444355965 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.444365025 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.444390059 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.444407940 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.510061979 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.510091066 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.510191917 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.510221004 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.510267019 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.527638912 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.527704000 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.527739048 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.527760983 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.527776957 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.527873993 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.528466940 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.528511047 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.528542042 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.528547049 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.528580904 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.528600931 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.529510021 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.529558897 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.529629946 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.529635906 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.529680014 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.529695034 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.530329943 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.530379057 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.530411005 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.530415058 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.530458927 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.530467033 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.531462908 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.531506062 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.531537056 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.531541109 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.531584024 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.531594038 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.580369949 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.580435038 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.580466032 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.580472946 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.580523968 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.596892118 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.596936941 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.596991062 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.596997976 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.597032070 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.597053051 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.613903999 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.613950014 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.613987923 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.613993883 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.614037991 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.614058971 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.614681005 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.614732027 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.614764929 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.614769936 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.614794970 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.614814997 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.615478039 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.615520954 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.615559101 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.615564108 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.615573883 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.615607023 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.617151022 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.617197990 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.617228031 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.617233038 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.617255926 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.617274046 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.618108034 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.618150949 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.618166924 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.618172884 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.618204117 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.618216038 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.619180918 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.619221926 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.619251013 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.619256020 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.619283915 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.619298935 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.667449951 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.667469978 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.667547941 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.667576075 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.667624950 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.683886051 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.683902979 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.683995962 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.684024096 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.684108973 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.700673103 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.700689077 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.700753927 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.700779915 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.700865984 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.701292992 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701308012 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701369047 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.701376915 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701440096 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.701843023 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701858044 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701903105 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.701910973 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.701942921 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.702428102 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.702441931 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.702495098 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.702506065 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.702558994 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.703274012 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703289032 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703342915 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.703350067 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703413010 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.703588963 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703603029 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703655958 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.703664064 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.703733921 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.754302025 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.754324913 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.754391909 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.754420042 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.754448891 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.754488945 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.770757914 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.770771980 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.770890951 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.770912886 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.770958900 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.787647963 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.787664890 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.787767887 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.787775993 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.787833929 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.788068056 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.788081884 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.788145065 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.788151026 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.788366079 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.788899899 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.788914919 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.788978100 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.788984060 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789370060 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.789390087 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789403915 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789442062 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.789446115 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789526939 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.789834023 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789848089 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789917946 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.789922953 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.789988995 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.790633917 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.790648937 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.790723085 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.790729046 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.790781021 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.841108084 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.841145039 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.841187000 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.841200113 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.841258049 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.841274977 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.857673883 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.857686996 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.857749939 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.857757092 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.857811928 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.875650883 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.875669956 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.875727892 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.875734091 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.875761032 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.875785112 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.876104116 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876118898 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876173973 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.876178980 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876218081 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.876648903 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876662970 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876718998 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.876724005 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.876852989 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.877068043 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.877080917 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.877157927 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.877162933 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.877201080 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.880439043 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880454063 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880513906 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.880518913 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880564928 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.880783081 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880801916 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880857944 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.880861998 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.880903006 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.928057909 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.928078890 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.928174973 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.928180933 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.928225994 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.944591045 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.944612026 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.944685936 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.944691896 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.944833994 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.961289883 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.961313009 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.961368084 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.961393118 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.961436033 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.961896896 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.961914062 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.961973906 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.961986065 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962040901 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.962261915 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962275982 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962327957 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.962335110 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962358952 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.962374926 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.962671995 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962685108 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962739944 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.962744951 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.962825060 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.963041067 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963054895 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963104010 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.963109016 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963242054 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.963712931 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963728905 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963788033 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:26.963800907 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:26.963917017 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.014864922 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.014889956 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.014957905 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.014983892 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.015011072 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.015041113 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.031351089 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.031367064 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.031461000 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.031466007 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.031512976 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.048285961 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.048305988 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.048387051 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.048405886 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.048527002 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.048834085 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.048857927 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.048919916 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.048926115 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049026012 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049226046 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049241066 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049309015 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049314976 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049375057 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049441099 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049491882 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.049504042 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049535990 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049659967 CET	49709	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.049675941 CET	443	49709	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.093317032 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.093355894 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.093487978 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.093758106 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.093774080 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.940128088 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.940393925 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.940917015 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.940923929 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:27.941164017 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:27.941169024 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.277667046 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.277729988 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.277817965 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.278836966 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.278861046 CET	443	49712	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.278873920 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.278908014 CET	49712	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.322037935 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.322069883 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.322256088 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.322633028 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:28.322643995 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:28.615612030 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:28.928200960 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:29.115834951 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.115905046 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.116302967 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.116308928 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.116496086 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.116501093 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.513890982 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.513993025 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.514013052 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.514046907 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.514105082 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.514132977 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.514148951 CET	443	49715	159.60.138.212	192.168.2.16
Jan 13, 2025 11:11:29.514159918 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.514195919 CET	49715	443	192.168.2.16	159.60.138.212
Jan 13, 2025 11:11:29.535202980 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:29.798207998 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:30.735234976 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:33.082463980 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:33.145489931 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:33.384295940 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:33.991290092 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:35.200323105 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:37.609366894 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:37.945322990 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:39.412626982 CET	49673	443	192.168.2.16	204.79.197.203
Jan 13, 2025 11:11:42.410425901 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:11:47.545491934 CET	49678	443	192.168.2.16	20.189.173.10
Jan 13, 2025 11:11:52.017546892 CET	49680	80	192.168.2.16	192.229.211.108
Jan 13, 2025 11:12:53.970890045 CET	58948	53	192.168.2.16	1.1.1.1
Jan 13, 2025 11:12:53.975723028 CET	53	58948	1.1.1.1	192.168.2.16
Jan 13, 2025 11:12:53.975822926 CET	58948	53	192.168.2.16	1.1.1.1
Jan 13, 2025 11:12:53.975852013 CET	58948	53	192.168.2.16	1.1.1.1
Jan 13, 2025 11:12:53.980606079 CET	53	58948	1.1.1.1	192.168.2.16
Jan 13, 2025 11:12:54.427323103 CET	53	58948	1.1.1.1	192.168.2.16
Jan 13, 2025 11:12:54.428296089 CET	58948	53	192.168.2.16	1.1.1.1
Jan 13, 2025 11:12:54.433376074 CET	53	58948	1.1.1.1	192.168.2.16
Jan 13, 2025 11:12:54.433439970 CET	58948	53	192.168.2.16	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 11:11:21.488151073 CET	59457	53	192.168.2.16	1.1.1.1
Jan 13, 2025 11:11:21.560415030 CET	53	59457	1.1.1.1	192.168.2.16
Jan 13, 2025 11:11:54.248239040 CET	53	56343	1.1.1.1	192.168.2.16
Jan 13, 2025 11:11:54.318516970 CET	53	64492	1.1.1.1	192.168.2.16
Jan 13, 2025 11:11:55.320527077 CET	53	60560	1.1.1.1	192.168.2.16
Jan 13, 2025 11:12:24.803695917 CET	138	138	192.168.2.16	192.168.2.255
Jan 13, 2025 11:12:53.970418930 CET	53	56719	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 11:11:21.488151073 CET	192.168.2.16	1.1.1.1	0x4165	Standard query (0)	audimex.nexi.it	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 11:11:21.560415030 CET	1.1.1.1	192.168.2.16	0x4165	No error (0)	audimex.nexi.it	ves-io-f35000c6-187d-4400-baeb-13d55394e070.ac.vh.ves.io		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 11:11:21.560415030 CET	1.1.1.1	192.168.2.16	0x4165	No error (0)	ves-io-f35000c6-187d-4400-baeb-13d55394e070.ac.vh.ves.io		159.60.138.212	A (IP address)	IN (0x0001)	false
Jan 13, 2025 11:11:22.704035044 CET	1.1.1.1	192.168.2.16	0xb35b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 11:11:22.704035044 CET	1.1.1.1	192.168.2.16	0xb35b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 11:11:55.248766899 CET	1.1.1.1	192.168.2.16	0xa0b2	No error (0)	emerald-prod-asgth3agbdfbhpgz.b02.azurefd.net	shed.dual-low.s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 11:11:55.248929977 CET	1.1.1.1	192.168.2.16	0x337	No error (0)	emerald-prod-asgth3agbdfbhpgz.b02.azurefd.net	shed.dual-low.s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 11:11:55.248929977 CET	1.1.1.1	192.168.2.16	0x337	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 11:11:55.248929977 CET	1.1.1.1	192.168.2.16	0x337	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 11:11:55.248929977 CET	1.1.1.1	192.168.2.16	0x337	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

audimex.nexi.it

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49699	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:22 UTC	343	OUT	OPTIONS /pages/prod/wal/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: audimex.nexi.it
2025-01-13 10:11:22 UTC	788	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:22 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin allow: HEAD,GET,POST,OPTIONS,TRACE content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-length: 0 content-type: httpd/unix-directory x-envoy-upstream-service-time: 96 set-cookie: 0a3d03=PV1zj/eDxH69glNKZdgxU8RVcLQFm3xMWEpTwp+6eg/Eu0Pe4hRF+nJALzh0O/Oc0rf/1A1u7NEdYZE8+FdVB0HHN4BdAUQr+ZHFtNlBUm1lYr+PQfZlHIGkUUXMVunML8bZOKprxIq0Hd1gQwpGF/RlL9gYjdmi2obIkWJZSkNBt07j; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49705	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:23 UTC	246	OUT	OPTIONS /pages/prod/wal/ HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: audimex.nexi.it Content-Length: 0 Connection: Keep-Alive
2025-01-13 10:11:23 UTC	788	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:23 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin allow: HEAD,GET,POST,OPTIONS,TRACE content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-length: 0 content-type: httpd/unix-directory x-envoy-upstream-service-time: 70 set-cookie: 0a3d03=u6JiKlCSmktdiIoS71wkRwRm2Ai3I7z6w1P2bTBThFIkOoI5MUcPu7NnJrnySq1JiviEyVB45u8tmJWSmJ5xwhiz9I6mYWBN4MqS+iP/YW6vx0SpbqdEQuy7kjTC4J1FN6DX78RdOCTlnJQ0BJZsbRwIhziba5bCNkOJcS//CNJv7aA1; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49707	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:24 UTC	717	OUT	HEAD /pages/prod/wal/audimex_addin.dot HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: audimex.nexi.it Cookie: 0a3d03=u6JiKlCSmktdiIoS71wkRwRm2Ai3I7z6w1P2bTBThFIkOoI5MUcPu7NnJrnySq1JiviEyVB45u8tmJWSmJ5xwhiz9I6mYWBN4MqS+iP/YW6vx0SpbqdEQuy7kjTC4J1FN6DX78RdOCTlnJQ0BJZsbRwIhziba5bCNkOJcS//CNJv7aA1; 0a3d03=PV1zj/eDxH69glNKZdgxU8RVcLQFm3xMWEpTwp+6eg/Eu0Pe4hRF+nJALzh0O/Oc0rf/1A1u7NEdYZE8+FdVB0HHN4BdAUQr+ZHFtNlBUm1lYr+PQfZlHIGkUUXMVunML8bZOKprxIq0Hd1gQwpGF/RlL9gYjdmi2obIkWJZSkNBt07j
2025-01-13 10:11:25 UTC	852	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:24 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin last-modified: Mon, 03 Jun 2024 13:21:12 GMT etag: "e5c00-619fc35038c9d" accept-ranges: bytes content-length: 941056 content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-type: application/msword x-envoy-upstream-service-time: 76 set-cookie: 0a3d03=FXCc7RMto51Uh7rJ4EbaGo40K9ACbyQVBMFSkA+fIzGaEzFFcQh0uaXLk04chSlgrJcWUE0hxP+YNqTgfweIQysgK5gDykRWvRmSbLdryr2vrEazqakafMeD9tCLWhzZrnHNyxS/52TXU9TsU906LF8v3x0m2nggP+3wFfsXeHGV0iAz; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49709	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:25 UTC	397	OUT	GET /pages/prod/wal/audimex_addin.dot HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: audimex.nexi.it Connection: Keep-Alive Cookie: 0a3d03=u6JiKlCSmktdiIoS71wkRwRm2Ai3I7z6w1P2bTBThFIkOoI5MUcPu7NnJrnySq1JiviEyVB45u8tmJWSmJ5xwhiz9I6mYWBN4MqS+iP/YW6vx0SpbqdEQuy7kjTC4J1FN6DX78RdOCTlnJQ0BJZsbRwIhziba5bCNkOJcS//CNJv7aA1
2025-01-13 10:11:26 UTC	852	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:26 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin last-modified: Mon, 03 Jun 2024 13:21:12 GMT etag: "e5c00-619fc35038c9d" accept-ranges: bytes content-length: 941056 content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-type: application/msword x-envoy-upstream-service-time: 76 set-cookie: 0a3d03=Zul69/vfqzvkTZpfa9ZzXLHi9x9F4vKAJo9vZo/q9Ekz4ztyP5x+pOiErXhsaWcuSvRQfC3cW7UQxxon8eUgtRYE7Dl94af9E75IIZcMUV7WeefMZ7iKAs9iQx27WYgd3ztcVbMhBiz/hi0JHbtJHg68IU0f9wAXLf7UgVxY3oA2Xg58; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 00 09 00 00 00 00 00 00 00 00 10 00 00 0b 00 00 00 08 00 00 00 fe ff ff ff 00 00 00 00 08 00 00 00 76 00 00 00 ff 00 00 00 80 01 00 00 00 02 00 00 7a 02 00 00 00 03 00 00 76 03 00 00 ff 03 00 00 7e 04 00 00 00 05 00 00 7d 05 00 00 ff 05 00 00 7f 06 00 00 db 06 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: >vzv~}
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 40 04 fe ff 60 17 00 00 68 ff ff ff 09 00 ff ff 20 00 00 00 00 00 00 00 40 04 fe ff 78 18 00 00 58 ff ff ff 0c 00 ff ff 20 00 00 00 00 00 00 00 40 04 fe ff ff ff ff ff 54 ff ff ff 09 00 ff ff 20 00 00 00 00 00 00 00 80 19 00 00 00 00 00 00 00 04 fe ff b0 17 00 00 50 ff ff ff 98 17 00 00 60 00 00 00 09 00 ff ff 1d 00 20 00 25 00 00 00 d0 17 00 00 80 17 00 00 06 00 00 00 00 00 00 00 00 04 fe ff 10 18 00 00 4c ff ff ff c8 17 00 00 60 00 00 00 00 00 00 00 1d 00 0c 00 25 00 00 00 28 18 00 00 b0 17 00 00 07 00 00 00 00 00 00 00 40 04 fe ff f8 17 00 00 3c ff ff ff 0c 00 ff ff 20 00 00 00 00 00 00 00 40 04 fe ff d8 18 00 00 2c ff ff ff 0c 00 ff ff 20 00 00 00 00 00 00 00 40 04 fe ff 38 18 00 00 28 ff ff ff 09 00 ff ff 20 00 00 00 00 00 00 00 50 Data Ascii: @`h @xX @T P` %L`%(@< @, @8( P
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 00 00 84 08 00 0c 00 00 00 00 02 00 00 00 84 08 00 0c 00 00 00 10 02 00 00 00 84 08 00 0c 00 00 00 20 02 00 00 00 84 08 00 0c 00 00 00 30 02 00 00 00 84 08 00 0c 00 00 00 40 02 00 00 00 84 08 00 0c 00 00 00 50 02 00 00 00 84 08 00 0e 00 00 00 60 02 00 00 00 84 08 00 0c 00 00 00 70 02 00 00 00 84 08 00 0c 00 00 00 80 02 00 00 00 84 08 00 0c 00 00 00 90 02 00 00 00 84 08 00 0c 00 00 00 a0 02 00 00 00 84 08 00 0c 00 00 00 b0 02 00 00 00 84 08 00 0c 00 00 00 c0 02 00 00 00 84 08 00 1c 00 00 00 d0 02 00 00 00 84 08 00 1c 00 00 00 f0 02 00 00 00 84 08 00 1c 00 00 00 10 03 00 00 00 80 09 00 1e 00 00 00 30 03 00 00 00 84 08 00 22 00 00 00 50 03 00 00 00 84 08 00 10 00 00 00 78 03 00 00 00 80 09 00 22 00 00 00 88 03 00 00 00 84 08 00 0c 00 00 00 b0 03 00 00 00 84 Data Ascii: 0@P`p0"Px"
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: c6 03 ff ff ff ff 34 ff ff ff 03 00 ff ff 00 00 00 00 00 00 00 00 60 84 c8 03 ff ff ff ff 30 ff ff ff 03 00 ff ff 00 00 00 00 00 00 00 00 60 84 ca 03 ff ff ff ff 2c ff ff ff 03 00 ff ff 00 00 00 00 00 00 00 00 60 84 cc 03 ff ff ff ff 28 ff ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 0c 11 d2 03 a0 23 00 00 0a 00 03 60 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 60 3a 00 00 f8 fe 6b 00 ff ff ff ff ff ff ff ff 50 00 1a 00 06 00 06 00 c0 01 94 00 00 09 00 00 2c 21 d4 03 00 24 00 00 00 00 03 68 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 08 3c 00 00 78 ff 2b 00 e0 23 00 00 08 00 ff ff 44 00 1b 00 04 00 04 00 c6 01 bc 01 00 03 00 00 69 83 fe ff ff ff ff ff ff ff ff ff 08 01 ff ff 00 00 00 00 ff ff ff ff 20 00 00 00 00 00 00 00 0c Data Ascii: 4`0`,`(#``:kP,!$h<x+#Di
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 00 58 2c 15 00 9c 00 b6 00 0f 00 62 79 74 65 73 20 72 65 71 75 69 72 65 64 3a 00 20 00 a6 03 58 20 11 00 41 40 6e 02 01 00 00 00 00 00 00 00 b6 00 06 00 45 72 72 6f 72 20 20 00 30 03 58 20 11 00 b6 00 15 00 20 64 75 72 69 6e 67 20 43 72 79 70 74 45 6e 63 72 79 70 74 21 00 11 00 41 40 6e 02 01 00 00 00 00 00 6b 00 ff ff 58 0b 00 00 20 00 a4 03 ac 00 01 00 20 00 a6 03 24 20 fa 00 03 00 27 00 6a 03 00 00 a3 00 ac 03 38 0b 00 00 e0 00 04 00 14 00 44 65 73 74 72 6f 79 20 73 65 73 73 69 6f 6e 20 6b 65 79 2e 00 00 00 00 00 00 20 00 a0 03 1d 00 9b 00 47 00 20 00 a0 03 24 00 02 03 01 00 27 00 84 03 6a 00 00 00 00 00 00 00 e0 00 04 00 20 00 52 65 6c 65 61 73 65 20 6b 65 79 20 65 78 63 68 61 6e 67 65 20 6b 65 79 20 68 61 6e 64 6c 65 2e 00 00 20 00 a2 03 9b 00 47 00 Data Ascii: X,bytes required: X A@nError 0X during CryptEncrypt!A@nkX $ 'j8Destroy session key. G $'j Release key exchange key handle. G
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 00 01 78 ff 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 44 00 00 00 14 00 00 00 00 02 00 0c 80 0c 00 08 08 00 fd 91 40 00 00 00 13 ff 2f 0c 00 00 00 00 08 00 00 00 14 00 24 00 00 00 00 00 00 00 fc 7b 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 00 98 03 00 00 00 02 00 05 4b 4b 03 00 0d f5 00 00 00 00 08 08 00 8f 44 00 00 0c 1b 00 00 08 08 00 fd 91 40 00 00 08 1b 01 00 43 78 ff 00 0c 1b 02 00 1b 01 00 2a 31 70 ff 00 4c f5 00 00 00 00 f5 01 00 00 00 6c 70 ff 04 58 ff 34 6c 58 ff 6c 78 ff 04 5c ff 34 6c 5c ff 04 6c ff 5e 03 00 14 00 71 54 ff 3c 6c 5c ff 04 78 ff fc 58 6c 58 ff 04 70 ff fc 58 6c 54 ff fc 52 c3 32 04 00 5c ff 58 ff 1c cb 00 00 46 27 e4 fe 27 04 ff 27 24 ff f5 00 00 00 00 1b 04 00 5e 05 00 00 00 71 Data Ascii: xD@/${KKD@Cx*1pLlpX4lXlx\4l\l^qT<l\xXlXpXlTR2\XF'''$^q
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 00 fb ef 04 ff 1b 06 00 43 c8 fe 04 c8 fe f5 02 00 00 00 59 cc fe 04 d4 fe 60 fd c7 d0 fe 04 b8 fe 0a 07 00 10 00 04 b8 fe fb ef a8 fe 3a 98 fe 08 00 fb ef 88 fe 1b 06 00 43 4c fe 04 4c fe f5 02 00 00 00 59 50 fe 04 58 fe 60 fd c7 54 fe 04 3c fe 0a 07 00 10 00 04 3c fe fb ef 2c fe 60 31 78 ff 32 0c 00 3c ff 34 ff d0 fe c8 fe 54 fe 4c fe 36 1a 00 50 ff 40 ff 24 ff e4 fe d4 fe 04 ff b8 fe a8 fe 68 fe 58 fe 88 fe 3c fe 2c fe 00 00 14 80 00 00 00 00 08 00 50 01 b0 01 28 00 08 00 00 00 80 00 ba 55 00 00 00 00 10 00 00 00 00 00 01 00 00 00 00 01 78 ff 01 00 58 00 00 00 00 00 13 00 00 00 00 00 3c ff 01 00 34 ff 01 00 d0 fe 01 00 c8 fe 01 00 54 fe 01 00 4c fe 01 00 50 ff 02 00 40 ff 02 00 24 ff 02 00 04 ff 02 00 e4 fe 02 00 d4 fe 02 00 b8 fe 02 00 a8 fe 02 00 88 Data Ascii: CY`:CLLYPX`T<<,`1x2<4TL6P@$hX<,P(UxX<4TLP@$
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: ff ff 09 00 ff ff 20 00 00 00 10 00 00 00 40 04 fe ff f8 17 00 00 6a ff ff ff 0b 00 ff ff 20 00 00 00 10 00 00 00 40 04 fe ff ff ff ff ff 64 ff ff ff 08 00 ff ff 20 00 00 00 10 00 00 00 40 04 fe ff 98 17 00 00 54 ff ff ff 0c 00 ff ff 20 00 00 00 10 00 00 00 40 04 fe ff ff ff ff ff 44 ff ff ff 0c 00 ff ff 20 00 00 00 98 00 00 00 40 04 fe ff b0 17 00 00 34 ff ff ff 0c 00 ff ff 20 00 00 00 30 18 00 00 40 04 fe ff c8 17 00 00 24 ff ff ff 0c 00 ff ff 20 00 00 00 ff ff ff ff 40 04 fe ff ff ff ff ff 14 ff ff ff 0c 00 ff ff 20 00 00 00 ff ff ff ff d8 16 00 00 c0 02 74 04 76 04 78 04 7a 04 7c 04 ff ff ff ff 06 00 ff ff 40 04 fe ff ff ff ff ff 12 ff ff ff 0b 00 ff ff 20 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 05 00 00 ff ff ff ff ff Data Ascii: @j @d @T @D @4 0@$ @ tvxz\|@ 0
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 01 01 00 00 02 01 00 00 03 01 00 00 04 01 00 00 05 01 00 00 06 01 00 00 07 01 00 00 08 01 00 00 09 01 00 00 0a 01 00 00 fe ff ff ff 0c 01 00 00 0d 01 00 00 0e 01 00 00 0f 01 00 00 10 01 00 00 19 01 00 00 12 01 00 00 13 01 00 00 14 01 00 00 15 01 00 00 16 01 00 00 17 01 00 00 18 01 00 00 0b 01 00 00 fe ff ff ff 98 01 00 00 1c 01 00 00 92 01 00 00 1e 01 00 00 59 01 00 00 20 01 00 00 21 01 00 00 22 01 00 00 23 01 00 00 24 01 00 00 25 01 00 00 26 01 00 00 27 01 00 00 28 01 00 00 29 01 00 00 2a 01 00 00 2b 01 00 00 2c 01 00 00 2d 01 00 00 2e 01 00 00 2f 01 00 00 30 01 00 00 31 01 00 00 32 01 00 00 33 01 00 00 34 01 00 00 35 01 00 00 36 01 00 00 37 01 00 00 38 01 00 00 39 01 00 00 3a 01 00 00 3b 01 00 00 3c 01 00 00 3d 01 00 00 3e 01 00 00 3f 01 00 00 40 01 00 Data Ascii: Y !"#$%&'()*+,-./0123456789:;<=>?@
2025-01-13 10:11:26 UTC	16384	IN	Data Raw: 01 16 01 00 06 48 01 00 00 74 73 00 00 2c 01 00 00 70 03 00 00 49 75 00 00 57 75 00 00 47 a5 00 00 00 00 00 00 01 00 00 00 17 4a c5 7f 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 48 00 00 00 00 00 ec 02 14 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 47 65 74 55 73 65 72 4e 61 6d 65 41 00 00 00 00 00 00 ed 02 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 55 73 65 72 4e 61 6d 65 41 00 00 00 00 ff ff ff ff 01 00 00 00 ff ff a8 00 ff ff 00 00 42 c1 b1 09 0b 0c 75 47 83 cf 6e ac 66 12 3a be 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 b7 f7 85 1c c6 fe 29 4b 93 74 90 f1 69 71 bc 0c 10 00 00 00 03 00 00 00 05 00 00 00 07 00 00 00 ff ff ff ff ff ff ff ff 01 01 08 00 00 00 ff ff Data Ascii: Hts,pIuWuGJHGetUserNameA8GetUserNameABuGnf:*=h8+3q)Ktiq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.16	49712	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:27 UTC	435	OUT	HEAD /pages/prod/wal/audimex_addin.dot HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: audimex.nexi.it Connection: Keep-Alive Cookie: 0a3d03=Zul69/vfqzvkTZpfa9ZzXLHi9x9F4vKAJo9vZo/q9Ekz4ztyP5x+pOiErXhsaWcuSvRQfC3cW7UQxxon8eUgtRYE7Dl94af9E75IIZcMUV7WeefMZ7iKAs9iQx27WYgd3ztcVbMhBiz/hi0JHbtJHg68IU0f9wAXLf7UgVxY3oA2Xg58
2025-01-13 10:11:28 UTC	852	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:28 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin last-modified: Mon, 03 Jun 2024 13:21:12 GMT etag: "e5c00-619fc35038c9d" accept-ranges: bytes content-length: 941056 content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-type: application/msword x-envoy-upstream-service-time: 48 set-cookie: 0a3d03=RIqPzmZ434ymQTS38XW1YffV3Vmtmw7Pl6YHqVMJvQ7sAca+m3owoP2WUkii9ZKo5rNr1d0cw02DNiOWV9PLePaVCSdKkbM71cS64MLQxSICrG0tO57799tFdEUoYqRlgKPFz0O/RFuEyy5LyKvta9yg8MhW2cYYlr/1Ht1w6QmSZjT8; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.16	49715	159.60.138.212	443	6372	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-01-13 10:11:29 UTC	435	OUT	HEAD /pages/prod/wal/audimex_addin.dot HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: audimex.nexi.it Connection: Keep-Alive Cookie: 0a3d03=RIqPzmZ434ymQTS38XW1YffV3Vmtmw7Pl6YHqVMJvQ7sAca+m3owoP2WUkii9ZKo5rNr1d0cw02DNiOWV9PLePaVCSdKkbM71cS64MLQxSICrG0tO57799tFdEUoYqRlgKPFz0O/RFuEyy5LyKvta9yg8MhW2cYYlr/1Ht1w6QmSZjT8
2025-01-13 10:11:29 UTC	852	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 10:11:29 GMT cache-control: no-cache strict-transport-security: max-age=31536000 x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin last-modified: Mon, 03 Jun 2024 13:21:12 GMT etag: "e5c00-619fc35038c9d" accept-ranges: bytes content-length: 941056 content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' .audimex-hosting.com .audimex.com audimex.nexi.it content-type: application/msword x-envoy-upstream-service-time: 75 set-cookie: 0a3d03=nKV2BPGQ8piPQyk3LgalZuaUpARofCkvo7eC5iQyORJE/8b2ESCHBm2qYW0HqfqS1dBJOumYih344nqTsNUC/oLOaBNQpXTLB5vuPfQG/zmkqhwJ8Ewj1EzoNFKFJiS7qVjhzjQrePAvM7MsJuxlI7gXjwTzUieCNO7kuH9vjtUUKDs2; path=/ x-volterra-location: tn2-lon server: volt-adc connection: close

Target ID:	0
Start time:	05:11:19
Start date:	13/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\YYYY-NNN AUDIT DETAIL REPORT .docx" /o ""
Imagebase:	0xf30000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:11:52
Start date:	13/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:11:52
Start date:	13/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1960,i,9699052757452476404,18213265251403622644,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YYYY-NNN AUDIT DETAIL REPORT .docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\msoD106.tmp

C:\Users\user\AppData\Local\Temp\~DFA7307C5095550620.TMP

C:\Users\user\AppData\Local\Temp\~DFD6C2ACE74E041A2E.TMP

C:\Users\user\Desktop\~$YY-NNN AUDIT DETAIL REPORT .docx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "YYYY-NNN AUDIT DETAIL REPORT .docx"

Indicators

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
YYYY-NNN AUDIT DETAIL REPORT .docx