Edit tour

Windows Analysis Report
_________19.03.docx

Overview

General Information

Sample name:	_________19.03.docx
Analysis ID:	1668984
MD5:	f9026fabfb8d131863ad06fd72eb2717
SHA1:	ffa14e589d99a95d025b0ae5d7122319195622f7
SHA256:	4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
Tags:	cve-2017-0199docxuser-zhuzhu0009
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Internet Provider seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7720 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49716, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7720, Protocol: tcp, SourceIp: 91.218.228.26, SourceIsIpv6: false, SourcePort: 80

Suricata Signatures

ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-19T02:44:47.340125+0200	2033858	1	Malware Command and Control Activity Detected	192.168.2.4	49735	91.218.228.26	80	TCP

ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-19T02:44:46.343974+0200	2055080	1	Malware Command and Control Activity Detected	192.168.2.4	49734	91.218.228.26	80	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-19T02:44:43.229507+0200	2800029	1	Attempted User Privilege Gain	91.218.228.26	80	192.168.2.4	49726	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-19T02:44:40.837742+0200	1810005	1	Potentially Bad Traffic	192.168.2.4	49719	91.218.228.26	80	TCP
2025-04-19T02:44:45.155817+0200	1810005	1	Potentially Bad Traffic	192.168.2.4	49731	91.218.228.26	80	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://clack.su/fox.docx	Avira URL Cloud: Label: malware
Source: http://valisi.ru/first.rtf	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: _________19.03.docx	Virustotal: Detection: 44%			Perma Link
Source: _________19.03.docx	ReversingLabs: Detection: 41%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: global traffic	DNS query: name: clack.su
Source: global traffic	DNS query: name: clack.su
Source: global traffic	DNS query: name: valisi.ru

Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80

Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49716
Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49719
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49730
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49731
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49735
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49724 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49724
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49726
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 91.218.228.26:80 -> 192.168.2.4:49734
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80
Source: global traffic	TCP traffic: 192.168.2.4:49726 -> 91.218.228.26:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49731 -> 91.218.228.26:80
Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49719 -> 91.218.228.26:80
Source: Network traffic	Suricata IDS: 2033858 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf : 192.168.2.4:49735 -> 91.218.228.26:80
Source: Network traffic	Suricata IDS: 2055080 - Severity 1 - ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf : 192.168.2.4:49734 -> 91.218.228.26:80
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 91.218.228.26:80 -> 192.168.2.4:49726

Source: Joe Sandbox View

ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU

Source: global traffic	HTTP traffic detected: GET /fox.docx HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global traffic	HTTP traffic detected: GET /first.rtf HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.documentlast-modified: Wed, 19 Mar 2025 11:29:09 GMTetag: "6eac-67daaa85-b8348916368e5d6e;;;"accept-ranges: bytescontent-length: 28332date: Sat, 19 Apr 2025 00:44:42 GMTserver: LiteSpeedData Raw: 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 1e 91 1a b7 ea 00 00 00 4e 02 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 92 51 4b c4 30 0c 80 df 05 ff 43 c9 fb 2d bb 13 44 e4 ba 7b 11 e1 de 44 e6 0f 08 6d b6 95 db da d2 46 bd fb f7 56 50 74 70 9e 7b 6c 9a 7c f9 12 b2 dd 1d a7 51 bd 71 ca 2e 78 0d eb aa 06 c5 de 04 eb 7c af e1 a5 7d 5c dd 81 ca 42 de d2 18 3c 6b 38 71 86 5d 73 7d b5 7d e6 91 a4 14 e5 c1 c5 ac 0a c5 67 0d 83 48 bc 47 cc 66 e0 89 72 15 22 fb f2 d3 85 34 91 94 67 ea 31 92 39 50 cf b8 a9 eb 5b 4c bf 19 d0 cc 98 6a 6f 35 a4 bd bd 01 d5 9e 22 2f 61 87 ae 73 86 1f 82 79 9d d8 cb 99 16 c8 47 61 6f d9 ae 62 2a f5 49 5c 99 46 b5 94 7a 16 0d 36 98 a7 12 ce 48 31 56 05 0d 78 de 68 b3 dc e8 ef 69 71 62 21 4b 42 68 42 e2 cb 3e 9f 19 97 84 d6 cb 85 fe 5f d1 3c e3 c7 e6 3d 24 8b f6 2b fc 6d 83 b3 2b 68 3e 00 50 4b 03 04 14 00 00 00 00 00 d9 41 73 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 74 3f 39 7a bc 00 00 00 28 01 00 00 1e 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 69 74 65 6d 31 2e 78 6d 6c 2e 72 65 6c 73 8d cf b1 8a c3 30 0c 06 e0 fd e0 de c1 68 6f 9c dc 50 ca 11 a7 4b 29 74 3b 4a 0e ba 1a 47 49 4c 63 cb 58 6a 69 df be e6 a6 2b 74 e8 28 89 ff fb 51 bb bd 85 45 5d 31 b3 a7 68 a0 a9 6a 50 18 1d 0d 3e 4e 06 7e fb fd 6a 03 8a c5 c6 c1 2e 14 d1 c0 1d 19 b6 dd e7 47 7b c4 c5 4a 09 f1 ec 13 ab a2 44 36 30 8b a4 6f ad d9 cd 18 2c 57 94 30 96 cb 48 39 58 29 63 9e 74 b2 ee 6c 27 d4 5f 75 bd d6 f9 bf 01 dd 93 a9 0e 83 81 7c 18 1a 50 fd 3d e1 3b 36 8d a3 77 b8 23 77 09 18 e5 45 85 76 17 16 0a a7 b0 fc 64 2a 8d aa b7 79 42 31 e0 05 c3 df aa a9 8a 09 ba 6b f5 d3 7f dd 03 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 26 9a f9 f2 c3 00 00 00 80 01 00 00 13 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 31 2e 78 6d 6c a5 90 c1 0a c2 30 0c 86 5f 65 f4 ee 3a 3d a9 6c f3 22 9e 14 04 15 cf a1 cb b4 b0 36 a5 c9 44 df de aa 13 c4 83 17 2f 39 7c f9 f9 f2 93 72 71 75 5d 76 c1 c8 96 7c a5 c6 79 a1 32 f4 86 1a eb 4f 95 3a ec 57 a3 a9 ca 58 c0 37 d0 91 c7 4a dd 90 d5 a2 2e a9 17 9e a7 b1 0b 60 70 09 02 59 f2 f8 27 e2 4a 9d 45 c2 5c 6b 36 67 74 c0 b9 b3 26 12 53 2b b9 21 a7 a9 6d ad 41 3d 29 8a 99 7e c4 1f 06 ed 50 a0 49 1a 35 a8 23 76 20 d8 24 33 b2 fe 62 64 7a 87 5e be f9 16 29 74 98 60 88 14 30 ca 6d 33 38 d7 96 e5 55 ef af 66 ef 73 86 62 ec 83 bc ed 47 e0 35 b1 d4 12 7b 2c f5 af c4 b0 fd fc 5a 7d 07 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 15 aa 19 12 e7 00 00 00 4d 01 00 00 18 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 69 74 65 6d 50 72 6f 70 73 31 2e 78 6d 6c 65 90 41 6b 84 30 10 85 ef 85 fe 07 c9

Source: global traffic	HTTP traffic detected: GET /fox.docx HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: clack.suConnection: Keep-AliveCookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Source: global traffic	HTTP traffic detected: GET /first.rtf HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: valisi.ruConnection: Keep-AliveCookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d

Source: global traffic	DNS traffic detected: DNS query: clack.su
Source: global traffic	DNS traffic detected: DNS query: valisi.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1fe1a5cc; expires=Sat, 19-Apr-2025 01:14:46 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"date: Sat, 19 Apr 2025 00:44:46 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/5.4.45set-cookie: wfvt_1026485859=6802f1ff2de53; expires=Sat, 19-Apr-2025 01:14:47 GMT; path=/; httponlycontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachelink: <http://valisi.ru/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 19 Apr 2025 00:44:47 GMTserver: LiteSpeedData Raw: 63 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db ca f1 d9 fe 8a 15 0b 58 e4 09 c5 8b 44 59 8e 6c da 50 64 1b 0d 9a 34 41 ec 83 a2 b0 0d 61 4d ae a4 75 28 92 67 b9 b2 2c d8 02 8a 3e f4 3f fa 07 79 e8 01 da 87 fe 83 cf 1f 75 76 97 94 a8 8b 13 fb 24 28 60 53 e4 5e e6 3e b3 33 b3 07 95 e3 0f dd f3 bf 7e 3c 41 43 3e 8a 0e b7 0f c4 0f 8a 70 3c f0 35 36 d6 c4 00 c1 e1 e1 f6 d6 c1 88 70 8c 82 21 66 19 e1 be f6 f3 f9 69 6d 0f a6 f3 f1 18 8f 88 af dd 52 32 49 13 c6 35 14 24 31 27 31 ac 9b d0 90 0f 7d d7 75 9c d5 c5 78 cc 87 09 2b 2d ed 84 b7 38 0e 48 88 32 3e 0e 69 22 d7 73 ca 23 72 f8 f8 cf df fe fe db df 1e bf 3c fe f7 f1 df bf fd e3 f1 0b 82 97 5f c5 e3 cb e3 7f 1e ff f5 f8 ab 78 43 e8 01 a1 53 1a 8d 38 09 0e 6c b5 6f 7b 6b 89 bc b3 3f 01 9f bd f3 0f 1f de bd e9 7c 2a 21 5e 1a ef 7d ec 7c 3a 3b f9 d4 eb 7e 78 ff b1 73 fe f6 cd bb 13 0d d9 40 0a 10 53 a9 d5 50 90 65 a8 56 13 a4 45 34 fe 8c 18 89 7c 2d 03 3e 78 30 e6 88 02 db 1a 1a 32 d2 f7 b5 21 e7 69 db b6 6f 71 44 33 6a b1 b1 3d 49 6b b9 54 6c 3e 24 23 92 d9 7d 1a 71 46 32 6e f7 f1 ad d8 6a c1 43 72 2d 41 4b 30 55 01 26 03 38 7d 10 68 66 0d 92 64 10 11 9c d2 cc 0a 92 91 0d c4 1c f5 f1 88 46 53 ff 94 32 fc ea 0c c7 59 db 73 1c b3 01 ff 4d f8 6f 39 ce 4e 36 be 16 1a 8b 30 a7 b1 19 4c 19 8d 22 1a 54 25 e5 d5 8c 4f 23 92 0d 09 e1 55 c4 a7 29 f1 ab 9c dc 71 01 b7 ba c2 e2 7c e1 ef e1 ef e6 97 31 61 53 ab 0f ea 9d 5e 27 77 16 c0 d7 d0 88 84 14 83 f0 02 46 48 bc 60 5b 49 f4 bb d0 49 ae 04 92 a3 c6 06 34 4a 91 17 b4 8f 22 8e de 9e a0 d7 57 c0 2a 42 07 40 08 4d 39 ca 58 30 57 9e f0 85 66 36 a4 b7 b9 e0 83 24 04 b8 20 f8 ec 36 b6 39 1b c7 9f 6d b9 c4 ba c9 b4 c3 03 5b 41 78 12 1a 25 ad da 4d a1 c3 25 50 b7 84 65 34 89 ed ba e5 ea d7 e0 66 9e 61 bf 3d 79 bd 02 15 81 01 5e 90 38 a4 fd 2b 69 80 60 db 39 c9 52 73 9a d4 dc 0d be c5 6a 54 48 74 6b 6b 42 e3 30 99 58 bd 49 4a 46 c9 0d 3d 23 1c ac 60 90 21 1f dd 6b d7 38 23 3f b3 48 6b 4b 5b cd da 97 f6 a5 9d 59 13 2b 61 83 4b 9b 8e f0 80 64 97 76 90 30 72 69 cb cd 97 76 ab 7e d7 aa 5f da 9a a9 01 2e d8 67 a5 f1 00 3e b2 64 cc 02 a2 b5 ef 35 30 e2 00 73 b9 3a 07 2b a1 ce 9d e0 52 78 01 8d 83 68 1c 0a e0 37 f0 0f 03 72 7d 0d 14 4f 80 22 6b 44 63 e0 fc 08 64 e2 bb af f7 70 b3 55 ef 3b 75 c7 f3 b0 b7 eb e1 46 d3 6b f5 fb ad e6 6e d3 db 75 ea da 6c b6 2f b8 ac f4 c7 71 c0 41 82 3a 31 13 93 1b f7 b7 98 21 6c c6 26 db 2f 66 10 d5 89 1a e7 7e 62 81 cd 01 99 27 11 b8 61 cc 75 61 83 a0 7a cd d8 e7 96 Data Ascii: c15

Source: classification engine

Classification label: mal68.evad.winDOCX@2/5@3/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$_______19.03.docx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{66050E71-1D72-4227-BAD7-A2759737A87A} - OProcSessId.dat

Jump to behavior

Source: ~WRD0000.tmp.0.dr

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: _________19.03.docx	Virustotal: Detection: 44%
Source: _________19.03.docx	ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: ~WRD0000.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://clack.su/fox.docx

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	4 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	14 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
_________19.03.docx	45%	Virustotal		Browse
_________19.03.docx	42%	ReversingLabs	Document-Word.Trojan.RemoteTemplateInj

Source	Detection	Scanner	Label	Link
http://clack.su/fox.docx	100%	Avira URL Cloud	malware
http://valisi.ru/first.rtf	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
valisi.ru	91.218.228.26	true	true	unknown
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
clack.su	91.218.228.26	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://clack.su/fox.docx	true	Avira URL Cloud: malware	unknown
http://valisi.ru/first.rtf	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.218.228.26	valisi.ru	Russian Federation		203226	IHCRUInternet-HostingLtdMoscowRussiaRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1668984
Start date and time:	2025-04-19 02:43:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	_________19.03.docx
Detection:	MAL
Classification:	mal68.evad.winDOCX@2/5@3/1
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.20.38, 23.202.75.249, 52.109.8.36, 20.42.65.84, 23.1.33.10, 23.1.33.18, 52.111.230.25, 52.111.230.27, 52.111.230.26, 52.111.230.24, 52.123.129.14, 40.126.28.20, 204.79.197.222, 4.245.163.56
Excluded domains from analysis (whitelisted): fp.msedge.net, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, prod-eus-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, onedscolprdeus02.eastus.cloudapp.azure.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadn
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.218.228.26	#U0434#U043e#U0433#U043e#U0432#U043e#U0440.pdf.lnk	Get hash	malicious	Unknown	Browse	ecols.ru/ecols.hta
91.218.228.26	____ ______.xls.lnk.bin.lnk	Get hash	malicious	Metasploit	Browse	ecols.ru/ecols.hta

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-0005.dual-s-msedge.net	Your Shipment Is On Its Way.eml	Get hash	malicious	Unknown	Browse	52.123.129.14
	3a8e85ffd4ab	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	52.123.129.14
	Message.eml	Get hash	malicious	HTMLPhisher	Browse	52.123.128.14
	Message.eml	Get hash	malicious	Unknown	Browse	52.123.128.14
	FFL-2025-00947 PAYMENT.docx.doc	Get hash	malicious	Unknown	Browse	52.123.128.14
	FFL-2025-00947 PAYMENT.docx.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	richardsewell-4-15-24.Bayer Heritage FCU BHFCU0425.eml	Get hash	malicious	Unknown	Browse	52.123.129.14
	$RCNW0Y4.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	52.123.129.14
	Deal Sheet & Commitment-New Deal (1).eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	52.123.128.14
	phish_alert_sp2_2.0.0.0.msg	Get hash	malicious	Unknown	Browse	52.123.128.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IHCRUInternet-HostingLtdMoscowRussiaRU	1isequal9.x86_64.elf	Get hash	malicious	Unknown	Browse	185.87.196.255
	#U0434#U043e#U0433#U043e#U0432#U043e#U0440.pdf.lnk	Get hash	malicious	Unknown	Browse	91.218.228.26
	____ ______.xls.lnk.bin.lnk	Get hash	malicious	Metasploit	Browse	91.218.228.26
	f8PZ0Uuwau.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	217.144.98.170
	grxpiPs2Fw.elf	Get hash	malicious	Mirai, Moobot	Browse	91.218.228.164
	http://hotel-karmen.ru	Get hash	malicious	Unknown	Browse	37.143.13.155
	LockyRansom.exe	Get hash	malicious	Unknown	Browse	37.143.9.154
	LockyRansom.exe	Get hash	malicious	Unknown	Browse	37.143.9.154
	KtMg6d1Ivx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.87.199.107
	https://googleads.g.doubleclick.net/pcs/click?xai=AKAOjsuLaMSxRbnmx4CaSYBD7UEX1peDpNeYnMWW4dVza-G52TGjr2vj5pKsC0MnZ5wKKbv48DTu4_9zifCV__nn-40JMtKyE_J-VMT8wv7a1Lf0nNBgkN5ubnqB_fbDSNDoYvSXrEeZ7mt6jhn1Gl78NJ_xm24v553oIbpIcOlySTxRzwS3ROTWKkuLKGhJpg1kkeB-2p7L0D_C0Tx_5HYnjwuOs8n8jzqBq4O3iSh2WW3Es8m8o5Fm3xTlO9UbT5wj7XWQmwefhVbuqmrnfemDwqzjrWGaSNRRqB_R9QTXSQjdFDdWTx0_Oo7RzbAWcjKqQR2JbLAW_ZYkDd6cz8q8BYpJJzzkZ6QKuyXH_CCgkPoul09CafKLox9uieqQMwQ&sai=AMfl-YQSMSxmTEvfKP4k3QH0IYz2PIsK1wo62PVWE2-bo7ZdB4Yue3XhmrRw5NnkQ1uiDEixQcvMUgBuCbvmwfqOzcwUGUmidc9tgXXMjS8Z7zb-8rHzyMziFnJ7Kv7S6gwBuwmLhiK3qougMvlVE4DWmw&sig=Cg0ArKJSzCxoV_8QjjEU&fbs_aeid=%5Bgw_fbsaeid%5D&adurl=https://dubaieventhost.com?26utm_source%3Dacuityads%26utm_medium%3Ddisplay%26utm_campaign%3D23%26utm_content%3D728x90_CyberWeek%26utm_term%3DNOOFR%26dclid%3D%25edclid!	Get hash	malicious	Unknown	Browse	95.183.11.171

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\Desktop\_________19.03.docx (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	56704
Entropy (8bit):	7.763520369568193
Encrypted:	false
SSDEEP:	768:ia9BfkLt5wPhPrxqkpYzhZzfIb72hgKc4/GkFEXRtv/hvTnqRINkagCI2eR+Grl:RB6upRUhE7YS4+Cmrv/hvTghagDR+G5
MD5:	CEE10264E377550CD27C2838667B1165
SHA1:	F25B660A099FE4D7BC77365FC2C6099F7554863E
SHA-256:	91325863AD76519F7A0F26EF86AABE89534B25E162824B97D43230FA1278254C
SHA-512:	553413C906A2DFF5B8CF64816B21C69BEB8B48C834A56432BA48040D801F5095E2F4D5837A4C7450A5C32417997F762C9140232224D2739DC6EB1D7AA670D593
Malicious:	true
Reputation:	low
Preview:	PK..........!...K.....m.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H...W...B.).]8."-H\]{...%{...3I..A!.!..DJf.}..-gf...d.....`...e.W.-.v{s59cYB.0.A.6.....`v...2.v.`+.p.y.+.".>..H..H.q...b..d:...w..'Xi.....bm0.\|....}.%.~6..W.......[...75"...@..G..M.T9U.9i.C:.........?...d.".oa).?....rm.2.\f../K-....B..R.}.&o#Vh....!......k.{.}H.qZ.J."jh{...?`8.....pk..H.......H.1.......D*..`.......Q....).G.q..h.;!....v..+......A#.k.F.o.{.......i....'?.00F....H..4..'....2....G.....2U.$

C:\Users\user\Desktop\~$_______19.03.docx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.731640959097586
Encrypted:	false
SSDEEP:	3:KVGl/lilKlRAGlAbF/4cux5mFMNh9VOVBiFHeb9V7HHKmRaa+qY6P:KVy/4KDyJruxmMNrVOjPb9NHHKm8LqXP
MD5:	73410AC45720096DF62C56DF7C8004ED
SHA1:	A1F1267BB5D67F3DC9CB55D40A105A83D17EC16D
SHA-256:	FBC7910A9373E8CD5C6AF5902A502007BC36D09F920CC6D08E6AD8FC04D43A9C
SHA-512:	9B6B397433871D0BD64A8C2220F2499DFFF92A99558AA018A4EA5B855E9E8498DFF06148315F77C6F424BCC8BC59A4AF2CD334A4CDAA39235C6DE959B16DAC13
Malicious:	false
Reputation:	low
Preview:	.user..................................................j.o.n.e.s...{...k..p.p`[..<..%..J.k3....i....l.Y.X.+.....`..k7..~a...........'.$'O.}.aj....0.N..=.j

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	56704
Entropy (8bit):	7.763520369568193
Encrypted:	false
SSDEEP:	768:ia9BfkLt5wPhPrxqkpYzhZzfIb72hgKc4/GkFEXRtv/hvTnqRINkagCI2eR+Grl:RB6upRUhE7YS4+Cmrv/hvTghagDR+G5
MD5:	CEE10264E377550CD27C2838667B1165
SHA1:	F25B660A099FE4D7BC77365FC2C6099F7554863E
SHA-256:	91325863AD76519F7A0F26EF86AABE89534B25E162824B97D43230FA1278254C
SHA-512:	553413C906A2DFF5B8CF64816B21C69BEB8B48C834A56432BA48040D801F5095E2F4D5837A4C7450A5C32417997F762C9140232224D2739DC6EB1D7AA670D593
Malicious:	false
Reputation:	low
Preview:	PK..........!...K.....m.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H...W...B.).]8."-H\]{...%{...3I..A!.!..DJf.}..-gf...d.....`...e.W.-.v{s59cYB.0.A.6.....`v...2.v.`+.p.y.+.".>..H..H.q...b..d:...w..'Xi.....bm0.\|....}.%.~6..W.......[...75"...@..G..M.T9U.9i.C:.........?...d.".oa).?....rm.2.\f../K-....B..R.}.&o#Vh....!......k.{.}H.qZ.J."jh{...?`8.....pk..H.......H.1.......D*..`.......Q....).G.q..h.;!....v..+......A#.k.F.o.{.......i....'?.00F....H..4..'....2....G.....2U.$

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft OOXML
Entropy (8bit):	7.928562966578789
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	_________19.03.docx
File size:	52'301 bytes
MD5:	f9026fabfb8d131863ad06fd72eb2717
SHA1:	ffa14e589d99a95d025b0ae5d7122319195622f7
SHA256:	4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
SHA512:	496f7ea4bd96533f02623a6a5755eccec6d7e4b16c46924a8d41951ec862e274c4ec7b4aa43f2db8ab08379cb2309287c7455e54fab56175f40d6d0848773a2c
SSDEEP:	1536:NKvY2UlwL6buqh9dLpHmcTyAiC5SzkAXulN:NKgtu4dLwcGAiC53iQN
TLSH:	B433E010CE1C1026C746A7346A4D1D86F70DD16AEAC1B72B6E56DACC4982BC35F27CDA
File Content Preview:	PK..........!.........N......._rels/.rels..QK.0.....C..-..D..{...D...m.....F...VPtp.{l.\|......Q.q..x........\|...}\...B...<k8q.]s}.}..........g..H.G.f..r."....4..g.1.9P....[L.....jo5......"/a..s...y......Gao..b*.I\.F..z..6....H1V..x.h....iqb!KBhB..>.......

File Icon


Icon Hash:	35e5c48caa8a8599

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-19T02:44:40.837742+0200	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.4	49719	91.218.228.26	80	TCP
2025-04-19T02:44:43.229507+0200	2800029	ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass	1	91.218.228.26	80	192.168.2.4	49726	TCP
2025-04-19T02:44:45.155817+0200	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.4	49731	91.218.228.26	80	TCP
2025-04-19T02:44:46.343974+0200	2055080	ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf	1	192.168.2.4	49734	91.218.228.26	80	TCP
2025-04-19T02:44:47.340125+0200	2033858	ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf	1	192.168.2.4	49735	91.218.228.26	80	TCP

Network Port Distribution

Total Packets: 113
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2025 02:44:38.633733034 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.010466099 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.011039019 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.011279106 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.387878895 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876626968 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876643896 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876655102 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876708031 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.876727104 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876739025 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876749992 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876760960 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.876773119 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.876780033 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.913635015 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:39.921441078 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.921463966 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:39.921523094 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.075665951 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.244064093 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.244174957 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253591061 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253611088 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253624916 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253638983 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253648043 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253653049 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253662109 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253679037 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253684044 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253695011 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253701925 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253710032 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253725052 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.253734112 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253758907 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.253782988 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.264323950 CEST	80	49716	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.264379978 CEST	49716	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.308156013 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.308229923 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.308360100 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.540925980 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837677956 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837697029 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837713003 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837728024 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837742090 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.837755919 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.837770939 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837781906 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.837795019 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837810040 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.837820053 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.837836027 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.837863922 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.851665020 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.851686954 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.871555090 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.878360987 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.878379107 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:40.878407001 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:40.878421068 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.070095062 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.070116043 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.070149899 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.070162058 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.070175886 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.070213079 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.070233107 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.070247889 CEST	80	49719	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.070276976 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.070343971 CEST	49719	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.248621941 CEST	80	49724	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.248723030 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.249003887 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.626068115 CEST	80	49724	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.626091003 CEST	80	49724	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:41.672148943 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:41.694412947 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.066442013 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.066740990 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.066957951 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.438878059 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439097881 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439110994 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439124107 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439184904 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.439194918 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439208031 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439218044 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439229012 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439233065 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.439239979 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439245939 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439256907 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.439265013 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.439306021 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.439306021 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.811322927 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811341047 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811352015 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811378956 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811388969 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811399937 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811410904 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811423063 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811434031 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811444998 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811455965 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811472893 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:42.811481953 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.811481953 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.811518908 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.811518908 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:42.857609987 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:43.229506969 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:43.229576111 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:43.389374018 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:43.620464087 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:43.620543003 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:43.620726109 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:43.851835012 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100126982 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100192070 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100238085 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.100279093 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100291967 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100311995 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100327015 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100349903 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.100351095 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.100379944 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.101605892 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.105494976 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.199604988 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.199678898 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.199687004 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.199738026 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.225159883 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.225209951 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.331327915 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.331373930 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.331374884 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.331407070 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.331413984 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.331423044 CEST	80	49730	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.331445932 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.331461906 CEST	49730	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.488872051 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:44.488961935 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.489150047 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:44.872569084 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155724049 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155778885 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155817032 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.155826092 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155875921 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155915022 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.155915022 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.155936956 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.155973911 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.155983925 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.156048059 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.156079054 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.156893015 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.168044090 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.168219090 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.170644045 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.242647886 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.242692947 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.242742062 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.242790937 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.262331009 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.262389898 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.539453030 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.539482117 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.539509058 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.539511919 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.539540052 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.539550066 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.539566040 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.539589882 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.547000885 CEST	80	49734	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.547107935 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.547377110 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.551435947 CEST	80	49731	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:45.551480055 CEST	49731	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:45.923831940 CEST	80	49734	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:46.295002937 CEST	80	49734	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:46.300976038 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:46.343974113 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:46.680351019 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:46.680495024 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:46.680639982 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.059813023 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.339966059 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.339998007 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.340028048 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.340125084 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.340125084 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.351562977 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.351562977 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.369962931 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.370126009 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.370465040 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.370488882 CEST	80	49735	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.370527029 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.370651960 CEST	49735	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.614042044 CEST	80	49724	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:47.614109993 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:47.680000067 CEST	49724	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:48.057131052 CEST	80	49724	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:49.414531946 CEST	80	49726	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:49.414608002 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:52.926661015 CEST	80	49734	91.218.228.26	192.168.2.4
Apr 19, 2025 02:44:52.939002037 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:52.940320015 CEST	49734	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:44:53.316687107 CEST	80	49734	91.218.228.26	192.168.2.4
Apr 19, 2025 02:46:24.087412119 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:46:24.868294001 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:46:26.433728933 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:46:29.540301085 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:46:35.758924007 CEST	49726	80	192.168.2.4	91.218.228.26
Apr 19, 2025 02:46:48.180716991 CEST	49726	80	192.168.2.4	91.218.228.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2025 02:44:37.594063997 CEST	62728	53	192.168.2.4	1.1.1.1
Apr 19, 2025 02:44:38.594216108 CEST	62728	53	192.168.2.4	1.1.1.1
Apr 19, 2025 02:44:38.631468058 CEST	53	62728	1.1.1.1	192.168.2.4
Apr 19, 2025 02:44:38.699384928 CEST	53	62728	1.1.1.1	192.168.2.4
Apr 19, 2025 02:44:42.977391958 CEST	57742	53	192.168.2.4	1.1.1.1
Apr 19, 2025 02:44:43.388605118 CEST	53	57742	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2025 02:44:37.594063997 CEST	192.168.2.4	1.1.1.1	0xcc09	Standard query (0)	clack.su	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:38.594216108 CEST	192.168.2.4	1.1.1.1	0xcc09	Standard query (0)	clack.su	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:42.977391958 CEST	192.168.2.4	1.1.1.1	0xe886	Standard query (0)	valisi.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2025 02:44:35.501529932 CEST	1.1.1.1	192.168.2.4	0xad67	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2025 02:44:35.501529932 CEST	1.1.1.1	192.168.2.4	0xad67	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:35.501529932 CEST	1.1.1.1	192.168.2.4	0xad67	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:38.631468058 CEST	1.1.1.1	192.168.2.4	0xcc09	No error (0)	clack.su		91.218.228.26	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:38.699384928 CEST	1.1.1.1	192.168.2.4	0xcc09	No error (0)	clack.su		91.218.228.26	A (IP address)	IN (0x0001)	false
Apr 19, 2025 02:44:43.388605118 CEST	1.1.1.1	192.168.2.4	0xe886	No error (0)	valisi.ru		91.218.228.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clack.su

valisi.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49716	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:39.011279106 CEST	321	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: clack.su
Apr 19, 2025 02:44:39.876626968 CEST	1358	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: PHPSESSID=eba6953baf6806e6900f830f92e49542; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache set-cookie: wfvt_733659977=6802f1f7a44ac; expires=Sat, 19-Apr-2025 01:14:39 GMT; path=/; httponly content-type: text/html; charset=UTF-8 link: <http://clack.su/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Sat, 19 Apr 2025 00:44:39 GMT server: LiteSpeed Data Raw: 32 32 38 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 43 6c 61 63 6b 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0d 0a 09 0d 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 6c 61 63 6b 2e 73 75 2f 77 70 2d 63 [TRUNCATED] Data Ascii: 228d<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Clack</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://clack.su/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/style.css?5" media="screen">...[if lt IE 9]> <script src="http://
Apr 19, 2025 02:44:39.876643896 CEST	1358	IN	Data Raw: 68 74 6d 6c 35 73 68 69 76 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 Data Ascii: html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]-->... Google Tag Manager for WordPress by gtm4wp.com --><script data-cfasync="fa
Apr 19, 2025 02:44:39.876655102 CEST	1358	IN	Data Raw: 29 5b 30 5d 2b 22 2c 22 2b 74 5b 31 5d 2b 22 2c 22 2b 74 5b 32 5d 2b 22 2c 22 2b 74 5b 33 5d 2c 72 2e 66 69 6c 6c 54 65 78 74 28 69 28 35 35 33 35 36 2c 35 37 32 32 31 2c 35 35 33 35 36 2c 35 37 33 34 33 29 2c 30 2c 30 29 2c 61 21 3d 28 74 3d 72 Data Ascii: )[0]+","+t[1]+","+t[2]+","+t[3],r.fillText(i(55356,57221,55356,57343),0,0),a!=(t=r.getImageData(16,16,1,1).data)[0]+","+t[1]+","+t[2]+","+t[3];case"simple":return r.fillText(i(55357,56835),0,0),0!==r.getImageData(16,16,1,1).data[0];case"unicod
Apr 19, 2025 02:44:39.876727104 CEST	1358	IN	Data Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 63 6f 6e 74 61 63 74 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a Data Ascii: !important;}</style><link rel='stylesheet' id='contact-form-7-css' href='http://clack.su/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style_main-css'
Apr 19, 2025 02:44:39.876739025 CEST	1358	IN	Data Raw: 75 30 34 33 65 5c 75 30 34 33 31 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 62 5c 75 30 34 33 35 5c 75 30 34 33 64 5c 75 30 34 33 65 20 5c 75 30 34 33 32 20 5c 75 30 34 33 61 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 37 5c 75 30 Data Ascii: u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043e \u0432 \u043a\u043e\u0440\u0437\u0438\u043d\u0443!","wrong_promocode":"\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434","your_promocode":"\u0412\
Apr 19, 2025 02:44:39.876749992 CEST	1358	IN	Data Raw: 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 61 5c 75 30 34 33 38 22 2c 22 69 74 65 6d 73 22 3a 22 5c 75 30 34 31 66 Data Ascii: 0442\u043e\u043c \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438","items":"\u041f\u043e\u0437\u0438\u0446\u0438\u0439:","total_sum":"\u0418\u0442\u043e\u0433\u043e:","user_in":"2","submit":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u0
Apr 19, 2025 02:44:39.876760960 CEST	1290	IN	Data Raw: 69 70 74 22 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 75 72 6c 29 7b 0a 09 69 66 28 2f 28 3f 3a 43 68 72 6f 6d 65 5c 2f 32 36 5c 2e 30 5c 2e 31 34 31 30 5c 2e 36 33 20 53 61 66 61 72 69 5c 2f 35 33 37 5c 2e 33 31 7c 57 6f 72 64 66 65 6e 63 65 54 65 73 Data Ascii: ipt">(function(url){if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31\|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }var addEvent = function(evt, handler) {if (window.addEventListener) {document.addEventListener(evt, handl
Apr 19, 2025 02:44:39.921441078 CEST	1358	IN	Data Raw: 32 30 30 61 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 d0 a0 d1 Data Ascii: 200a<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");
Apr 19, 2025 02:44:39.921463966 CEST	1358	IN	Data Raw: 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 6b 2e 61 73 79 6e 63 3d 31 2c 6b 2e 73 72 63 3d 72 2c 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6b 2c 61 29 7d 29 0d 0a Data Ascii: =e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(89683691, "init", { clickmap:true, trackLinks:true,
Apr 19, 2025 02:44:40.244064093 CEST	1358	IN	Data Raw: 2c 0d 0a 09 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0d 0a 09 27 68 74 74 70 73 Data Ascii: ,j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-WQ3XLCG');</script>... End Goo
Apr 19, 2025 02:44:40.253591061 CEST	1358	IN	Data Raw: 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 28 6e 6f 73 63 72 69 70 74 29 Data Ascii: e;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><header class="header"><div class="wrap"><a href="/" class="header-logo"></a><div class="header-phone"><div class="header-label">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49719	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:40.308360100 CEST	224	OUT	OPTIONS / HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: clack.su Content-Length: 0 Connection: Keep-Alive
Apr 19, 2025 02:44:40.837677956 CEST	1358	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache set-cookie: wfvt_733659977=6802f1f8a0a59; expires=Sat, 19-Apr-2025 01:14:40 GMT; path=/; httponly content-type: text/html; charset=UTF-8 link: <http://clack.su/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Sat, 19 Apr 2025 00:44:40 GMT server: LiteSpeed Data Raw: 32 32 38 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 43 6c 61 63 6b 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0d 0a 09 0d 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 6c 61 63 6b 2e 73 75 2f 77 70 2d 63 [TRUNCATED] Data Ascii: 228d<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Clack</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://clack.su/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://clack.su/wp-content/themes/filtrest/style.css?5" media="screen">...[if lt IE 9]> <script src="http://
Apr 19, 2025 02:44:40.837697029 CEST	1358	IN	Data Raw: 68 74 6d 6c 35 73 68 69 76 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 Data Ascii: html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]-->... Google Tag Manager for WordPress by gtm4wp.com --><script data-cfasync="fa
Apr 19, 2025 02:44:40.837713003 CEST	1358	IN	Data Raw: 29 5b 30 5d 2b 22 2c 22 2b 74 5b 31 5d 2b 22 2c 22 2b 74 5b 32 5d 2b 22 2c 22 2b 74 5b 33 5d 2c 72 2e 66 69 6c 6c 54 65 78 74 28 69 28 35 35 33 35 36 2c 35 37 32 32 31 2c 35 35 33 35 36 2c 35 37 33 34 33 29 2c 30 2c 30 29 2c 61 21 3d 28 74 3d 72 Data Ascii: )[0]+","+t[1]+","+t[2]+","+t[3],r.fillText(i(55356,57221,55356,57343),0,0),a!=(t=r.getImageData(16,16,1,1).data)[0]+","+t[1]+","+t[2]+","+t[3];case"simple":return r.fillText(i(55357,56835),0,0),0!==r.getImageData(16,16,1,1).data[0];case"unicod
Apr 19, 2025 02:44:40.837728024 CEST	1358	IN	Data Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 63 6f 6e 74 61 63 74 2d 66 6f 72 6d 2d 37 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a Data Ascii: !important;}</style><link rel='stylesheet' id='contact-form-7-css' href='http://clack.su/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style_main-css'
Apr 19, 2025 02:44:40.837770939 CEST	1358	IN	Data Raw: 75 30 34 33 65 5c 75 30 34 33 31 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 62 5c 75 30 34 33 35 5c 75 30 34 33 64 5c 75 30 34 33 65 20 5c 75 30 34 33 32 20 5c 75 30 34 33 61 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 37 5c 75 30 Data Ascii: u043e\u0431\u0430\u0432\u043b\u0435\u043d\u043e \u0432 \u043a\u043e\u0440\u0437\u0438\u043d\u0443!","wrong_promocode":"\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434","your_promocode":"\u0412\
Apr 19, 2025 02:44:40.837795019 CEST	1358	IN	Data Raw: 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 30 5c 75 30 34 33 32 5c 75 30 34 33 61 5c 75 30 34 33 38 22 2c 22 69 74 65 6d 73 22 3a 22 5c 75 30 34 31 66 Data Ascii: 0442\u043e\u043c \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438","items":"\u041f\u043e\u0437\u0438\u0446\u0438\u0439:","total_sum":"\u0418\u0442\u043e\u0433\u043e:","user_in":"2","submit":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u0
Apr 19, 2025 02:44:40.837820053 CEST	1290	IN	Data Raw: 69 70 74 22 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 75 72 6c 29 7b 0a 09 69 66 28 2f 28 3f 3a 43 68 72 6f 6d 65 5c 2f 32 36 5c 2e 30 5c 2e 31 34 31 30 5c 2e 36 33 20 53 61 66 61 72 69 5c 2f 35 33 37 5c 2e 33 31 7c 57 6f 72 64 66 65 6e 63 65 54 65 73 Data Ascii: ipt">(function(url){if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31\|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }var addEvent = function(evt, handler) {if (window.addEventListener) {document.addEventListener(evt, handl
Apr 19, 2025 02:44:40.878360987 CEST	1358	IN	Data Raw: 32 30 30 61 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 d0 a0 d1 Data Ascii: 200a<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");
Apr 19, 2025 02:44:40.878379107 CEST	1358	IN	Data Raw: 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 6b 2e 61 73 79 6e 63 3d 31 2c 6b 2e 73 72 63 3d 72 2c 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6b 2c 61 29 7d 29 0d 0a Data Ascii: =e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(89683691, "init", { clickmap:true, trackLinks:true,
Apr 19, 2025 02:44:41.070095062 CEST	1358	IN	Data Raw: 2c 0d 0a 09 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0d 0a 09 27 68 74 74 70 73 Data Ascii: ,j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-WQ3XLCG');</script>... End Goo
Apr 19, 2025 02:44:41.070116043 CEST	1358	IN	Data Raw: 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 28 6e 6f 73 63 72 69 70 74 29 Data Ascii: e;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><header class="header"><div class="wrap"><a href="/" class="header-logo"></a><div class="header-phone"><div class="header-label">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49724	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:41.249003887 CEST	464	OUT	HEAD /fox.docx HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: clack.su Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59; wfvt_733659977=6802f1f7a44ac; PHPSESSID=eba6953baf6806e6900f830f92e49542
Apr 19, 2025 02:44:41.626091003 CEST	352	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document last-modified: Wed, 19 Mar 2025 11:29:09 GMT etag: "6eac-67daaa85-b8348916368e5d6e;;;" accept-ranges: bytes content-length: 28332 date: Sat, 19 Apr 2025 00:44:41 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49726	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:42.066957951 CEST	255	OUT	GET /fox.docx HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: clack.su Connection: Keep-Alive Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Apr 19, 2025 02:44:42.439097881 CEST	1358	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document last-modified: Wed, 19 Mar 2025 11:29:09 GMT etag: "6eac-67daaa85-b8348916368e5d6e;;;" accept-ranges: bytes content-length: 28332 date: Sat, 19 Apr 2025 00:44:42 GMT server: LiteSpeed Data Raw: 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 1e 91 1a b7 ea 00 00 00 4e 02 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 92 51 4b c4 30 0c 80 df 05 ff 43 c9 fb 2d bb 13 44 e4 ba 7b 11 e1 de 44 e6 0f 08 6d b6 95 db da d2 46 bd fb f7 56 50 74 70 9e 7b 6c 9a 7c f9 12 b2 dd 1d a7 51 bd 71 ca 2e 78 0d eb aa 06 c5 de 04 eb 7c af e1 a5 7d 5c dd 81 ca 42 de d2 18 3c 6b 38 71 86 5d 73 7d b5 7d e6 91 a4 14 e5 c1 c5 ac 0a c5 67 0d 83 48 bc 47 cc 66 e0 89 72 15 22 fb f2 d3 85 34 91 94 67 ea 31 92 39 50 cf b8 a9 eb 5b 4c bf 19 d0 cc 98 6a 6f 35 a4 bd bd 01 d5 9e 22 2f 61 87 ae 73 86 1f 82 79 9d d8 cb 99 16 c8 47 61 6f d9 ae 62 2a f5 49 5c 99 46 b5 94 7a 16 0d 36 98 a7 12 ce 48 31 56 05 0d 78 de 68 b3 dc e8 ef 69 71 62 21 4b 42 68 42 e2 cb 3e 9f 19 97 84 d6 cb 85 fe 5f d1 3c e3 c7 e6 3d 24 8b f6 2b fc 6d 83 b3 2b 68 3e 00 50 4b 03 04 14 00 00 00 00 00 d9 41 73 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 63 75 73 74 6f 6d 58 6d 6c 2f 5f 72 65 6c 73 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 74 3f 39 [TRUNCATED] Data Ascii: PK!N_rels/.relsQK0C-D{DmFVPtp{l\|Qq.x\|}\B<k8q]s}}gHGfr"4g19P[Ljo5"/asyGaobI\Fz6H1Vxhiqb!KBhB>_<=$+m+h>PKAsZcustomXml/_rels/PK!t?9z(customXml/_rels/item1.xml.rels0hoPK)t;JGILcXji+t(QE]1hjP>N~j.G{JD60o,W0H9X)ctl'_u\|P=;6w#wEvdyB1kPK!&customXml/item1.xml0_e:=l"6D/9\|rqu]v\|y2O:WX7J.`pY'JE\k6gt&S+!mA=)~PI5#v $3bdz^)t`0m38UfsbG5{,Z}PK!McustomXml/itemProps1.xmleAk0]cE]Z^Cw&#Xix3Lss>t-{r8wiRnT3:hCv1FE*z8$6L'Sb/dZ^H eYK"
Apr 19, 2025 02:44:42.439110994 CEST	1358	IN	Data Raw: 45 9b d0 b2 2b d1 72 e0 3c e8 2b 58 15 32 5c c0 c5 e1 84 de 2a 8a d2 5f 38 4e 93 d1 20 51 af 16 1c f1 22 cf 1f b9 5e 23 de 9e ed cc ba 2d cf cf f6 0b 4c e1 af dc a2 ad de fc a3 58 a3 3d 06 9c 28 d3 68 7f 01 9b 71 cd 71 a5 b0 a8 a8 2c 90 da ce 64 Data Ascii: E+r<+X2\*_8N Q"^#-LX=(hqq,dkPK!ZCbdocProps/app.xmlSn0?7J+EbaCmL;lIXY{O#)Zz\d/>vq-D8b7>`$)c
Apr 19, 2025 02:44:42.439124107 CEST	1358	IN	Data Raw: fd bc 70 01 dc fa cc ff 82 f4 15 10 69 0d 26 3d 4c 44 67 13 91 4f 92 f9 26 9c fb 70 e3 33 df 9e d4 60 cf e8 e0 c1 27 c2 fc 2f 63 58 06 7e f4 1f 5c ff 00 50 4b 03 04 14 00 00 00 08 00 ee 41 73 5a c9 5f ac 4e cc 00 00 00 4c 01 00 00 1c 00 00 00 77 Data Ascii: pi&=LDgO&p3`'/cX~\PKAsZ_NLword/_rels/settings.xml.relsN1ws2 .:bj, *10iNQq(nAQX^A`vK&b7;E>[&RfQBJ+Wo+S
Apr 19, 2025 02:44:42.439194918 CEST	1358	IN	Data Raw: 8b a6 4d 44 5d 60 c2 bc 8c 5b 36 99 c9 d9 22 71 ef 54 92 7b 65 7b 68 b8 dd 82 2d 32 43 80 71 7f 54 1d a4 3f 43 f7 ea 9b 6b d4 fc 43 6e f6 2f 50 4b 03 04 14 00 00 00 08 00 00 00 21 00 da cc b4 e2 53 02 00 00 1e 0a 00 00 11 00 00 00 77 6f 72 64 2f Data Ascii: MD]`[6"qT{e{h-2CqT?CkCn/PK!Sword/endnotes.xml0@.AIfhU3xI&$o-C]tcH#3+AGT\7yTIAgfu1K!mkAt&N*qSVI)21/Q
Apr 19, 2025 02:44:42.439208031 CEST	1358	IN	Data Raw: 5f ef 46 5c d1 54 0f bc 9a 12 93 da 76 70 ac c4 39 7f 66 b3 6a 7d ae 8b e1 24 dc d5 87 93 7e 27 ee 0f 93 c3 fa c2 b7 ea c3 7b 91 13 eb 1b 8d d1 8f 3b 6d 53 4e 5f f1 3e 74 2a d7 0e 92 a3 9b 5d 4f e2 1d de 77 30 f6 37 3b be e9 77 86 5f 86 15 ef 87 Data Ascii: _F\Tvp9fj}$~'{;mSN_>t*]Ow07;w_mM7ML>0WPK!iQ,word/footer1.xml]O0'?XN E-iht8MCRi?~GJ>~G5&b2r}
Apr 19, 2025 02:44:42.439218044 CEST	1358	IN	Data Raw: b7 d7 51 cf ed f2 da f1 b4 a8 52 79 02 f6 b1 5f e7 5f f0 ca f9 db c4 28 ec b1 22 1e d1 2a fa 58 78 3e 67 e3 44 40 15 9e 26 1e 94 9a 9f 92 1b f5 3c 40 1a c0 a8 03 88 69 d1 b3 a4 1b 46 5c 33 30 28 7f e2 58 76 1e 66 d2 60 ec 51 9c b6 fa 5e 6f ce c3 Data Ascii: QRy__("*Xx>gD@&<@iF\30(Xvf`Q^oD+~&O'3,@h8M>m2#!e@z"4'pHAd9W-w~$ZJ2;r%;RbnqYS4rqD~lJ0oZ
Apr 19, 2025 02:44:42.439229012 CEST	1358	IN	Data Raw: 8b e3 31 c8 9f 00 82 1d fa de 18 35 bf 18 15 62 ab 6a 04 ba 99 04 02 55 23 52 30 8d f4 1f 9b 0b a7 91 fc 31 29 9a 46 9a 8f 49 f1 34 d2 28 9d ea 71 82 0b c9 38 0c 6e 84 aa 89 81 a6 da e2 9a a8 e7 9d 9c 01 58 12 53 7e 2e ab d2 bc 00 d3 0d 7b 0c 29 Data Ascii: 15bjU#R01)FI4(q8nXS~.{)E`5y~1!Y5{HNVzwBd%f4;UuQSi0X6~Azg+O'9;UD=#"1X#$\|\ )3+fa_Q?eo
Apr 19, 2025 02:44:42.439239979 CEST	1358	IN	Data Raw: 4c 43 59 8b 1d 3b db 9c 6c 74 66 da 57 b3 a8 f5 64 23 dd 9b 85 f3 60 ee ba f3 66 fb b2 04 62 2e 4a 70 4a dd ce 88 21 cb 82 5b 51 60 01 0b 6d 8a e3 07 22 a5 15 99 a0 26 fc 5c bb c9 d5 ef ab 06 68 7d 26 5b d6 16 0b 66 88 65 63 2a 14 9b 40 26 48 a6 Data Ascii: LCY;ltfWd#`fb.JpJ![Q`m"&\h}&[fec@&HL1)wlJdjk]{:<AT@SvOvoXuJ?a2&w~LnI4n'{sqMChEPWGU~ YhO_6\6'\PKA
Apr 19, 2025 02:44:42.439245939 CEST	1358	IN	Data Raw: bc 56 b2 8f 84 69 b2 fb ea 4d d6 3e b2 28 33 09 ed c8 76 9f d1 5b 51 5f 55 d9 e8 72 d9 a9 01 76 97 b8 8f 32 a7 d9 e5 99 53 64 b7 59 bb 56 2a 3a 30 f9 8a 2e 31 14 b1 2c 64 93 c9 6f f7 51 ea ad a4 c7 37 88 7a 43 97 b8 af 7a 44 a3 d5 e0 b2 bb 3c bd Data Ascii: ViM>(3v[Q_Urv2SdYV*:0.1,doQ7zCzD<0(.rR]y 5\|pA#7WGgjd6]w'uJwk[5u47@h6/PC"`u ;>[/:9&2s
Apr 19, 2025 02:44:42.439256907 CEST	1358	IN	Data Raw: 48 48 08 07 09 09 e1 20 21 21 1c 24 24 84 83 84 84 70 90 90 10 0e 12 12 c2 41 42 42 38 48 48 08 07 09 09 e1 20 21 21 1c 24 24 84 83 84 84 70 90 90 10 0e 12 12 c2 41 42 42 38 48 48 f8 ff 0f c2 ed 79 f5 94 74 5a f2 c4 6d e2 82 fc ce 4f 79 93 8d 06 Data Ascii: HH !!$$pABB8HH !!$$pABB8HHytZmOy2ce)zKWQisNSXg8LfzK"AnvEHB+, (%H'R@mqX(oSK@V f;l
Apr 19, 2025 02:44:42.811322927 CEST	1358	IN	Data Raw: 6d 44 5a 55 da bc b4 67 d2 2e a5 73 d2 b5 e9 cd e9 9b d3 cf a4 df ce c8 cc 98 94 b1 34 e3 58 c6 e7 99 09 99 c6 cc 39 99 cf 64 7e 3c 32 72 64 c1 c8 59 23 f7 8e 7c 6f 14 73 94 76 54 cb a8 27 47 bd 93 85 67 a9 b2 9a b3 b6 67 bd 3d 1a 1f ad 1e 6d 1b Data Ascii: mDZUg.s4X9d~<2rdY#\|osvT'Ggg=msD'qJJ.f[S(X4TZJf}DcEq[y,.O(S,PF9ZIw?PTU5jMffV]^_kL1\|K'3
Apr 19, 2025 02:44:42.857609987 CEST	293	OUT	HEAD /fox.docx HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: clack.su Connection: Keep-Alive Cookie: PHPSESSID=b9e6303e515dc6233f459e6662a37489; wfvt_733659977=6802f1f8a0a59
Apr 19, 2025 02:44:43.229506969 CEST	352	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: application/vnd.openxmlformats-officedocument.wordprocessingml.document last-modified: Wed, 19 Mar 2025 11:29:09 GMT etag: "6eac-67daaa85-b8348916368e5d6e;;;" accept-ranges: bytes content-length: 28332 date: Sat, 19 Apr 2025 00:44:43 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49730	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:43.620726109 CEST	322	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: valisi.ru
Apr 19, 2025 02:44:44.100126982 CEST	1358	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: PHPSESSID=c23817273c64555c130cc0150a4922ad; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache set-cookie: wfvt_1026485859=6802f1fbe39a9; expires=Sat, 19-Apr-2025 01:14:43 GMT; path=/; httponly content-type: text/html; charset=UTF-8 link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Sat, 19 Apr 2025 00:44:43 GMT server: LiteSpeed Data Raw: 32 30 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 46 69 6c 6d 74 65 63 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0a 09 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f [TRUNCATED] Data Ascii: 20de<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Filmtec</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://valisi.ru/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/style.css?3" media="screen">...[if lt IE 9]> <script src="http://html5shiv
Apr 19, 2025 02:44:44.100192070 CEST	1358	IN	Data Raw: 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 2d 6a 73 2e 67 6f 6f 67 6c 65 Data Ascii: .googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]--><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/i
Apr 19, 2025 02:44:44.100279093 CEST	1358	IN	Data Raw: 21 3d 3d 72 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 31 36 2c 31 36 2c 31 2c 31 29 2e 64 61 74 61 5b 30 5d 7d 72 65 74 75 72 6e 21 31 7d 28 72 5b 6e 5d 29 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 74 2e 73 75 70 70 6f Data Ascii: !==r.getImageData(16,16,1,1).data[0]}return!1}(r[n]),t.supports.everything=t.supports.everything&&t.supports[r[n]],"flag"!==r[n]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[r[n]]);t.supports.everythingExceptFl
Apr 19, 2025 02:44:44.100291967 CEST	1358	IN	Data Raw: 73 2f 77 70 2d 73 68 6f 70 2d 6f 72 69 67 69 6e 61 6c 2f 77 70 2d 73 68 6f 70 2e 63 73 73 3f 76 65 72 3d 31 39 38 61 35 37 32 66 30 32 30 34 34 61 34 36 34 61 33 35 34 37 66 66 37 35 36 35 34 36 30 32 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 Data Ascii: s/wp-shop-original/wp-shop.css?ver=198a572f02044a464a3547ff75654602' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style-css' href='http://valisi.ru/wp-content/plugins/wp-shop-original/styles/default.css?ver=198a572f02044a
Apr 19, 2025 02:44:44.100311995 CEST	1358	IN	Data Raw: 5c 75 30 34 34 63 5c 75 30 34 33 37 5c 75 30 34 33 65 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 38 20 5c 75 30 34 33 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 63 5c 75 30 34 33 65 5c 75 30 34 33 61 5c 75 30 Data Ascii: \u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434: ","show_panel":"0","yandex":"","promocode":"0","cartpage":"http:\/\/valisi.ru\/cart\/","order":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u043
Apr 19, 2025 02:44:44.100327015 CEST	1358	IN	Data Raw: 6e 5f 6c 69 6e 6b 22 3a 22 23 22 2c 22 63 6f 6e 74 5f 73 68 6f 70 22 3a 22 5c 75 30 34 31 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 33 62 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 32 5c 75 30 Data Ascii: n_link":"#","cont_shop":"\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u043f\u043e\u043a\u0443\u043f\u043a\u0438","is_empty":"\u0412\u0430\u0448\u0430 \u043a\u043e\u0440\u0437\u0438\u043d\u0430 \u043f\u0443\u0441\u0442\u0430.",
Apr 19, 2025 02:44:44.100351095 CEST	861	IN	Data Raw: 75 6d 65 6e 74 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 65 76 74 2c 20 68 61 6e 64 6c 65 72 2c 20 66 61 6c 73 65 29 3b 0a 09 09 7d 20 65 6c 73 65 20 69 66 20 28 77 69 6e 64 6f 77 2e 64 65 74 61 63 68 45 76 65 6e 74 29 20 7b Data Ascii: ument.removeEventListener(evt, handler, false);} else if (window.detachEvent) {document.detachEvent('on' + evt, handler);}};var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypres
Apr 19, 2025 02:44:44.199604988 CEST	1358	IN	Data Raw: 32 30 63 38 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 45 55 52 Data Ascii: 20c8<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "EUR";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");}if (w
Apr 19, 2025 02:44:44.199687004 CEST	1358	IN	Data Raw: 72 72 65 6e 74 5f 70 61 67 65 5f 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 68 6f 6d 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 36 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 22 3e d0 93 d0 bb d0 b0 d0 b2 d0 Data Ascii: rrent_page_item menu-item-home menu-item-62"><a href="http://valisi.ru/"></a></li><li id="menu-item-67" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-67"><a href="http://valisi.ru/about/">
Apr 19, 2025 02:44:44.225159883 CEST	1358	IN	Data Raw: 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 36 2f 30 35 2f 70 72 69 63 65 5f 68 79 64 72 6f 74 65 63 68 5f 32 30 31 35 2e 70 64 66 22 20 63 6c 61 73 73 3d 22 73 6c 69 64 65 2d 6c 69 6e 6b 22 3e d0 9f d1 80 d0 b0 d0 b9 d1 81 2d d0 bb d0 Data Ascii: ontent/uploads/2016/05/price_hydrotech_2015.pdf" class="slide-link">-</a></div> ... /slider --><div class="content"><ul class="cat maincat"><li><a href="http://valisi.ru/obezzhelezivanie/" class="cat-img"><img src
Apr 19, 2025 02:44:44.331327915 CEST	1358	IN	Data Raw: 61 74 2d 74 69 74 6c 65 22 3e d0 9e d0 b1 d0 b5 d1 81 d1 81 d0 be d0 bb d0 b8 d0 b2 d0 b0 d0 bd d0 b8 d0 b5 3c 2f 61 3e 0a 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 63 61 74 2d 73 75 62 6d 65 6e 75 22 3e 0a 09 09 09 09 09 3c 2f 75 6c 3e 0a 09 09 3c Data Ascii: at-title"></a><ul class="cat-submenu"></ul><li><a href="http://valisi.ru/reagenty/" class="cat-img"><img src="http://valisi.ru/wp-content/uploads/2016/05/reagenty-e14119751904911.png" alt="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49731	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:44.489150047 CEST	225	OUT	OPTIONS / HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: valisi.ru Content-Length: 0 Connection: Keep-Alive
Apr 19, 2025 02:44:45.155724049 CEST	1358	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache set-cookie: wfvt_1026485859=6802f1fcf250d; expires=Sat, 19-Apr-2025 01:14:44 GMT; path=/; httponly content-type: text/html; charset=UTF-8 link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Sat, 19 Apr 2025 00:44:45 GMT server: LiteSpeed Data Raw: 32 30 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 31 31 30 30 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 64 76 61 6e 63 65 64 20 73 74 75 64 69 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 46 69 6c 6d 74 65 63 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 20 2f 3e 0a 09 0a 09 3c 21 2d 2d 20 63 73 73 20 2d 2d 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f [TRUNCATED] Data Ascii: 20de<!DOCTYPE html><html lang="ru"><head><meta charset="UTF-8"><meta name="viewport" content="width=1100"><meta name="author" content="Advanced studio"><title>Filmtec</title><meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />... css --><link rel="shortcut icon" href="http://valisi.ru/wp-content/themes/filtrest/favicon.ico"><link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/jquery.fancybox.css" media="screen"><link rel="stylesheet" href="http://valisi.ru/wp-content/themes/filtrest/style.css?3" media="screen">...[if lt IE 9]> <script src="http://html5shiv
Apr 19, 2025 02:44:45.155778885 CEST	1358	IN	Data Raw: 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 74 72 75 6e 6b 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 69 65 37 2d 6a 73 2e 67 6f 6f 67 6c 65 Data Ascii: .googlecode.com/svn/trunk/html5.js"></script> <script src="http://ie7-js.googlecode.com/svn/version/2.1(beta4)/IE9.js"></script> <![endif]--><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/i
Apr 19, 2025 02:44:45.155826092 CEST	1358	IN	Data Raw: 21 3d 3d 72 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 31 36 2c 31 36 2c 31 2c 31 29 2e 64 61 74 61 5b 30 5d 7d 72 65 74 75 72 6e 21 31 7d 28 72 5b 6e 5d 29 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 74 2e 73 75 70 70 6f Data Ascii: !==r.getImageData(16,16,1,1).data[0]}return!1}(r[n]),t.supports.everything=t.supports.everything&&t.supports[r[n]],"flag"!==r[n]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[r[n]]);t.supports.everythingExceptFl
Apr 19, 2025 02:44:45.155875921 CEST	1358	IN	Data Raw: 73 2f 77 70 2d 73 68 6f 70 2d 6f 72 69 67 69 6e 61 6c 2f 77 70 2d 73 68 6f 70 2e 63 73 73 3f 76 65 72 3d 31 39 38 61 35 37 32 66 30 32 30 34 34 61 34 36 34 61 33 35 34 37 66 66 37 35 36 35 34 36 30 32 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 Data Ascii: s/wp-shop-original/wp-shop.css?ver=198a572f02044a464a3547ff75654602' type='text/css' media='all' /><link rel='stylesheet' id='wp-shop_style-css' href='http://valisi.ru/wp-content/plugins/wp-shop-original/styles/default.css?ver=198a572f02044a
Apr 19, 2025 02:44:45.155936956 CEST	1358	IN	Data Raw: 5c 75 30 34 34 63 5c 75 30 34 33 37 5c 75 30 34 33 65 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 38 20 5c 75 30 34 33 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 63 5c 75 30 34 33 65 5c 75 30 34 33 61 5c 75 30 Data Ascii: \u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u043f\u0440\u043e\u043c\u043e\u043a\u043e\u0434: ","show_panel":"0","yandex":"","promocode":"0","cartpage":"http:\/\/valisi.ru\/cart\/","order":"\u041e\u0444\u043e\u0440\u043c\u0438\u0442\u044c \u043
Apr 19, 2025 02:44:45.155983925 CEST	1358	IN	Data Raw: 6e 5f 6c 69 6e 6b 22 3a 22 23 22 2c 22 63 6f 6e 74 5f 73 68 6f 70 22 3a 22 5c 75 30 34 31 66 5c 75 30 34 34 30 5c 75 30 34 33 65 5c 75 30 34 33 34 5c 75 30 34 33 65 5c 75 30 34 33 62 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 32 5c 75 30 Data Ascii: n_link":"#","cont_shop":"\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u043f\u043e\u043a\u0443\u043f\u043a\u0438","is_empty":"\u0412\u0430\u0448\u0430 \u043a\u043e\u0440\u0437\u0438\u043d\u0430 \u043f\u0443\u0441\u0442\u0430.",
Apr 19, 2025 02:44:45.156048059 CEST	861	IN	Data Raw: 75 6d 65 6e 74 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 65 76 74 2c 20 68 61 6e 64 6c 65 72 2c 20 66 61 6c 73 65 29 3b 0a 09 09 7d 20 65 6c 73 65 20 69 66 20 28 77 69 6e 64 6f 77 2e 64 65 74 61 63 68 45 76 65 6e 74 29 20 7b Data Ascii: ument.removeEventListener(evt, handler, false);} else if (window.detachEvent) {document.detachEvent('on' + evt, handler);}};var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypres
Apr 19, 2025 02:44:45.242647886 CEST	1358	IN	Data Raw: 32 30 63 38 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 76 61 72 20 5f 5f 63 61 72 74 20 3d 20 30 3b 0a 09 76 61 72 20 5f 5f 77 20 3d 20 30 3b 0a 0a 09 43 55 52 52 20 3d 20 22 45 55 52 Data Ascii: 20c8<script type="text/javascript">var __cart = 0;var __w = 0;CURR = "EUR";jQuery(document).ready(function(){if (window.Cart !== undefined){window.__cart = new window.Cart("wpshop_minicart", "wpshop_cart");}if (w
Apr 19, 2025 02:44:45.242692947 CEST	1358	IN	Data Raw: 72 72 65 6e 74 5f 70 61 67 65 5f 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 68 6f 6d 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 36 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 61 6c 69 73 69 2e 72 75 2f 22 3e d0 93 d0 bb d0 b0 d0 b2 d0 Data Ascii: rrent_page_item menu-item-home menu-item-62"><a href="http://valisi.ru/"></a></li><li id="menu-item-67" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-67"><a href="http://valisi.ru/about/">
Apr 19, 2025 02:44:45.262331009 CEST	1358	IN	Data Raw: 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 36 2f 30 35 2f 70 72 69 63 65 5f 68 79 64 72 6f 74 65 63 68 5f 32 30 31 35 2e 70 64 66 22 20 63 6c 61 73 73 3d 22 73 6c 69 64 65 2d 6c 69 6e 6b 22 3e d0 9f d1 80 d0 b0 d0 b9 d1 81 2d d0 bb d0 Data Ascii: ontent/uploads/2016/05/price_hydrotech_2015.pdf" class="slide-link">-</a></div> ... /slider --><div class="content"><ul class="cat maincat"><li><a href="http://valisi.ru/obezzhelezivanie/" class="cat-img"><img src
Apr 19, 2025 02:44:45.539453030 CEST	1358	IN	Data Raw: 61 74 2d 74 69 74 6c 65 22 3e d0 9e d0 b1 d0 b5 d1 81 d1 81 d0 be d0 bb d0 b8 d0 b2 d0 b0 d0 bd d0 b8 d0 b5 3c 2f 61 3e 0a 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 63 61 74 2d 73 75 62 6d 65 6e 75 22 3e 0a 09 09 09 09 09 3c 2f 75 6c 3e 0a 09 09 3c Data Ascii: at-title"></a><ul class="cat-submenu"></ul><li><a href="http://valisi.ru/reagenty/" class="cat-img"><img src="http://valisi.ru/wp-content/uploads/2016/05/reagenty-e14119751904911.png" alt="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49734	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:45.547377110 CEST	468	OUT	HEAD /first.rtf HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: valisi.ru Cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d; wfvt_1026485859=6802f1fbe39a9; PHPSESSID=c23817273c64555c130cc0150a4922ad
Apr 19, 2025 02:44:46.295002937 CEST	476	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: wfvt_1026485859=6802f1fe1a5cc; expires=Sat, 19-Apr-2025 01:14:46 GMT; path=/; httponly content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/" date: Sat, 19 Apr 2025 00:44:46 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49735	91.218.228.26	80	7720	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2025 02:44:46.680639982 CEST	258	OUT	GET /first.rtf HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: valisi.ru Connection: Keep-Alive Cookie: PHPSESSID=9f1887f17763dca70f238dcccd64fc52; wfvt_1026485859=6802f1fcf250d
Apr 19, 2025 02:44:47.339966059 CEST	1358	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/5.4.45 set-cookie: wfvt_1026485859=6802f1ff2de53; expires=Sat, 19-Apr-2025 01:14:47 GMT; path=/; httponly content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache link: <http://valisi.ru/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 19 Apr 2025 00:44:47 GMT server: LiteSpeed Data Raw: 63 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db ca f1 d9 fe 8a 15 0b 58 e4 09 c5 8b 44 59 8e 6c da 50 64 1b 0d 9a 34 41 ec 83 a2 b0 0d 61 4d ae a4 75 28 92 67 b9 b2 2c d8 02 8a 3e f4 3f fa 07 79 e8 01 da 87 fe 83 cf 1f 75 76 97 94 a8 8b 13 fb 24 28 60 53 e4 5e e6 3e b3 33 b3 07 95 e3 0f dd f3 bf 7e 3c 41 43 3e 8a 0e b7 0f c4 0f 8a 70 3c f0 35 36 d6 c4 00 c1 e1 e1 f6 d6 c1 88 70 8c 82 21 66 19 e1 be f6 f3 f9 69 6d 0f a6 f3 f1 18 8f 88 af dd 52 32 49 13 c6 35 14 24 31 27 31 ac 9b d0 90 0f 7d d7 75 9c d5 c5 78 cc 87 09 2b 2d ed 84 b7 38 0e 48 88 32 3e 0e 69 22 d7 73 ca 23 72 f8 f8 cf df fe fe db df 1e bf 3c fe f7 f1 df bf fd e3 f1 0b 82 97 5f c5 e3 cb e3 7f 1e ff f5 f8 ab 78 43 e8 01 a1 53 1a 8d 38 09 0e 6c b5 6f 7b 6b 89 bc b3 3f 01 9f bd f3 0f 1f de bd e9 7c 2a 21 5e 1a ef 7d ec 7c 3a 3b f9 d4 eb 7e 78 ff b1 73 fe f6 cd bb 13 0d d9 40 0a 10 53 a9 d5 50 90 65 a8 56 13 a4 45 34 fe 8c 18 89 7c 2d 03 3e 78 30 e6 88 02 db 1a 1a 32 d2 f7 b5 21 e7 69 db b6 6f 71 44 33 6a b1 b1 3d 49 6b b9 54 6c [TRUNCATED] Data Ascii: c15nXDYlPd4AaMu(g,>?yuv$(`S^>3~<AC>p<56p!fimR2I5$1'1}ux+-8H2>i"s#r<_xCS8lo{k?\|!^}\|:;~xs@SPeVE4\|->x02!ioqD3j=IkTl>$#}qF2njCr-AK0U&8}hfdFS2YsMo9N60L"T%O#U)q\|1aS^'wFH`[II4J"WB@M9X0Wf6$ 69m[Ax%M%Pe4fa=y^8+i`9RsjTHtkkB0XIJF=#`!k8#?HkK[Y+aKdv0riv~_.g>d50s:+Rxh7r}O"kDcdpU;uFknul/qA:1!l&/f~b'auaz
Apr 19, 2025 02:44:47.339998007 CEST	1358	IN	Data Raw: 50 3f 31 b9 b5 59 a6 66 62 0d 08 cf f7 65 6f a6 e7 78 f0 67 88 7c ba 26 82 a4 66 5c 38 57 16 4e 53 50 52 77 48 a3 50 e7 c6 ac 9f 30 9d f9 1d c6 f0 14 f0 d0 51 1a 11 90 58 3f c2 42 70 e3 18 3c 3e 24 7b f0 1a 52 69 04 7c aa 19 80 3d 1b a7 22 8e 66 Data Ascii: P?1Yfbeoxg\|&f\8WNSPRwHP0QX?Bp<>${Ri\|="f=)\\|$gf;"p?~X@`R.D.`C@cmW;S:kR3d^afAag,b0$LX\|mqP8LP\+
Apr 19, 2025 02:44:47.340028048 CEST	935	IN	Data Raw: 52 f4 ca 18 10 14 5e e3 e5 c4 5a 30 1a 42 0b a2 60 b7 ae e8 53 5b d4 f6 b2 7b e7 12 84 4d 3c e1 50 a4 e6 d1 40 02 ab cb 49 57 2a c2 95 60 5c d2 2e c0 f7 20 27 c8 57 3f 0f 45 ee 79 25 c6 04 03 64 94 42 af 20 c7 aa 54 5e f2 c1 a5 88 b3 41 1b a5 f0 Data Ascii: R^Z0B`S[{M<P@IW`\. 'W?Ey%dB T^AxgVhV65xg]:(v&GQyB,$A@#~O +cT?*B8^fQ},5[dL8LLY8#GcA7<sC=?2a0=_zK6qV
Apr 19, 2025 02:44:47.369962931 CEST	1358	IN	Data Raw: 37 34 31 0d 0a cd 5b 5b 4f 1b 47 14 7e 86 5f 31 75 1f 02 52 76 6d 73 09 d0 1a ab 6a 84 fa 98 96 28 4f 6d 85 c6 f6 1a 2f 71 bc 96 2f 38 a6 aa 14 a0 52 13 05 15 29 ad 54 a9 52 9a 56 7d ea 1b 29 21 a1 40 88 d4 5f b0 fb 8f fa 9d 33 b3 bb 93 35 2c 84 Data Ascii: 741[[OG~_1uRvmsj(Om/q/8R)TRV})!@_35,nJ]9so.r1++b(ZYwq[pl\|\|l3yG6#&GB"Q~)jfj"7hsST].G\|9h<0F&]k6D)#%;Q
Apr 19, 2025 02:44:47.370465040 CEST	506	IN	Data Raw: 56 d7 ab ea 8c 3b dc 96 bd 1f 45 c6 75 44 05 1a 9b 13 f2 d1 9f eb 95 d4 9f 7b 83 d4 9f bd bb 0c b0 56 7b bd 70 77 66 ea 92 66 30 de 12 44 fb c6 38 a0 86 73 e4 97 68 e7 07 a7 c4 8b 12 af d2 c9 c8 18 e7 65 dd 56 31 9a b9 1e 3b 4e bd b5 2c a3 fc f4 Data Ascii: V;EuD{V{pwff0D8sheV1;N,h_VgPItd2gUreX]qPFbP,"&oxk8Wpq<S5n)KvhnA3_l.X]aO)D9b$Q'h
Apr 19, 2025 02:44:47.370488882 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• WINWORD.EXE

Click to jump to process

Memory Usage

• WINWORD.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	20:44:31
Start date:	18/04/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7f0000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report _________19.03.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\msoDE84.tmp

C:\Users\user\Desktop\_________19.03.docx (copy)

C:\Users\user\Desktop\~$_______19.03.docx

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WINWORD.EXEPID: 7720, Parent PID: 760

General

File Activities

Windows Analysis Report
_________19.03.docx