Create Interactive Tour

Windows Analysis Report
IR_Plan_Template.docx

Overview

General Information

Sample Name:	IR_Plan_Template.docx
Analysis ID:	737058
MD5:	15459297bde9f9080fc8831ed4269bd4
SHA1:	dc70feb680f005b6c436bf0234e5523e7085d840
SHA256:	6250558c933ddfca499f074ac61c78acd7a9d7d259c7f37bead832b6a9eeb4be
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

JA3 SSL client fingerprint seen in connection with other malware

Found iframes

IP address seen in connection with other malware

No HTML title found

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 940 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

chrome.exe (PID: 1552 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 6ACAE527E744C80997B25EF2A0485D5E)

chrome.exe (PID: 2604 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,3977379926490783070,1402708823176081004,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1432 /prefetch:8 MD5: 6ACAE527E744C80997B25EF2A0485D5E)

chrome.exe (PID: 1420 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 MD5: 6ACAE527E744C80997B25EF2A0485D5E)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6DD33958-9D86-4B28-84C5-05FAD15DC9F2}.tmp

Jump to behavior

Source: unknown

HTTPS traffic detected: 45.60.31.34:443 -> 192.168.2.22:49297 version: TLS 1.2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5CBF.tmp

Jump to behavior

Source: classification engine

Classification label: clean2.winDOCX@15/5@16/5

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,3977379926490783070,1402708823176081004,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1432 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: IR_Plan_Template.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\IR_Plan_Template.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IR_Plan_Template.docx	Initial sample: OLE zip file path = word/_rels/header1.xml.rels
Source: IR_Plan_Template.docx	Initial sample: OLE zip file path = word/_rels/footer1.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Drive-by Compromise	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
IR_Plan_Template.docx	0%	ReversingLabs
IR_Plan_Template.docx	0%	Virustotal	Browse
IR_Plan_Template.docx	0%	Metadefender	Browse

Source	Detection	Scanner	Label	Link
cookies-data.onetrust.io	0%	Virustotal		Browse
images.contentstack.io	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.sarbanes-oxley-101.com/	0%	Avira URL Cloud	safe
https://www.sarbanes-oxley-101.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
accounts.google.com	142.251.143.141	true	false		high
www.sans.org	45.60.31.34	true	false		high
cookies-data.onetrust.io	172.64.155.64	true	false	0%, Virustotal, Browse	unknown
addsearch.com	99.80.22.109	true	false		high
www.google.com	142.251.143.132	true	false		high
clients.l.google.com	142.251.143.174	true	false		high
cdn.cookielaw.org	104.16.149.64	true	false		high
geolocation.onetrust.com	104.18.41.98	true	false		high
dus4zn37zlqg0.cloudfront.net	54.230.182.97	true	false		high
clients2.google.com	unknown	unknown	false		high
images.contentstack.io	unknown	unknown	false	0%, Virustotal, Browse	unknown
cdn.jsdelivr.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901	false	high
https://www.sans.org/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=10&cb=1423541351	false	high
https://www.sans.org/white-papers/_nuxt/843c88b.js	false	high
https://www.sans.org/_Incapsula_Resource?SWKMTFSR=1&e=0.48620199341391523	false	high
https://www.sans.org/emea/	false	high
https://www.sans.org/_nuxt/f017cee.js	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
https://www.sans.org/	false	high
https://www.sans.org/white-papers/_nuxt/5c4b68b.js	false	high
https://www.sans.org/_nuxt/52315a7.js	false	high
https://www.sans.org/_nuxt/fonts/ClearSans-Bold.6667568.woff	false	high
https://www.sans.org/_nuxt/1b76987.js	false	high
https://www.sans.org/_nuxt/14dfdda.js	false	high
https://www.sans.org/white-papers/_nuxt/css/dc45d19.css	false	high
https://www.sans.org/_nuxt/0a44ab6.js	false	high
https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	false	high
https://www.sans.org/white-papers/_nuxt/css/719ad0c.css	false	high
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LdRaE8aAAAAAOB9CLy-hHWeafmpvmYkeMpCXrWO&co=aHR0cHM6Ly93d3cuc2Fucy5vcmc6NDQz&hl=en&v=Ixi5IiChXmIG6rRkjUa1qXHT&size=invisible&cb=n2nn4ml0cryv	false	high
https://www.sans.org/white-papers/_nuxt/85541be.js	false	high
https://www.sans.org/_nuxt/2333d81.js	false	high
https://www.sans.org/white-papers/_nuxt/ef26c41.js	false	high
https://www.sans.org/_nuxt/css/fb5e5ac.css	false	high
https://www.sans.org/white-papers/33901/	false	high
https://www.sans.org/_nuxt/css/291a06d.css	false	high
https://www.sans.org/_nuxt/07fff83.js	false	high
https://www.sans.org/_nuxt/fonts/ClearSans-Regular.e91449d.woff	false	high
https://www.sans.org/_nuxt/6c34979.js	false	high
https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	false	high
https://www.sans.org/white-papers/_nuxt/f893079.js	false	high
https://www.sans.org/_nuxt/ab87e22.js	false	high
https://www.sans.org/_nuxt/d5b644b.js	false	high
https://www.sans.org/_nuxt/caebd93.js	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false	high
https://www.sans.org/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=2&cb=939471789	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html	document.xml	false		high
https://www.sarbanes-oxley-101.com/	document.xml	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx	document.xml	false		high
https://csrc.nist.gov/projects/risk-management	document.xml	false		high
https://www.pcisecuritystandards.org/documents/PCI_SSC_PFI_Guidance.pdf	document.xml	false		high
https://www.eugdpr.org/key-changes.html	document.xml	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
45.60.31.34	www.sans.org	United States	19551	INCAPSULAUS	false
142.251.143.141	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.143.174	clients.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	737058
Start date and time:	2022-11-03 14:31:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IR_Plan_Template.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean2.winDOCX@15/5@16/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Browse link: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 Scroll down Close Viewer

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
Excluded IPs from analysis (whitelisted): 142.251.143.163, 34.104.35.123, 151.101.2.217, 151.101.66.217, 151.101.130.217, 151.101.194.217, 142.251.143.168, 142.251.143.131, 104.16.87.20, 104.16.88.20, 104.16.86.20, 104.16.89.20, 104.16.85.20, 142.251.143.106, 142.251.143.138, 142.251.143.170, 142.251.143.202
Excluded domains from analysis (whitelisted): cdn.jsdelivr.net.cdn.cloudflare.net, edgedl.me.gvt1.com, content-autofill.googleapis.com, www.googletagmanager.com, fonts.gstatic.com, h3.shared.global.fastly.net, update.googleapis.com, clientservices.googleapis.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
239.255.255.250	Myfile.html	Get hash	malicious	Browse
	http://track.employedusa.com/?xtl=20yq56k69gr0wz9tqddp838m89v3affggqjsuiiiovd7q3pz6plrhtqlydiv2drxqzn3yewovkzbnzy9qfet10fz&ei=8147320749@elm.com&originalclickurlb=aHR0cHM6Ly9jYXItYWdlLnRvcD9lPVltOWlMbWhoYldsc2RHOXVRR055WVMxaGNtTXVaMk11WTJFPQ==	Get hash	malicious	Browse
	Outstanding Invoice 799853 paid.html	Get hash	malicious	Browse
	https://03-111235-cwefw4r9f-whr-ghbw-renfv-w9rnh-g.obs.la-south-2.myhuaweicloud.com/ig9043e5rjg-het59gjnw-0erfkw-0fe9k-0wrjfg-0wrejf.html?AWSAccessKeyId=MQBACYQR6PMPLZ8WJWJH&Expires=1667481208&Signature=m5e6ccmVUwJQYBhZaCx7lFS5RzQ%3D#atl@sampension.dk	Get hash	malicious	Browse
	http://www.paltalk.com	Get hash	malicious	Browse
	https://s3.amazonaws.com/appforest_uf/f1666681361635x301391878117743170/cameo_script_shared_file_cx.html#nani?amy@steinborn.com	Get hash	malicious	Browse
	https://mhlacl24xw3uutqbrqcn.bioch.ru/	Get hash	malicious	Browse
	scanner@deaworklab.it_20285264_207382.htm	Get hash	malicious	Browse
	http://www.dixonind.com.au/	Get hash	malicious	Browse
	AntiForkieTool.exe	Get hash	malicious	Browse
	Office365 setup validation.html	Get hash	malicious	Browse
	https://sylc.ind.br/iiuo/index.php?set-dunpeardeai=2	Get hash	malicious	Browse
	http://www.malachi.co.za	Get hash	malicious	Browse
	https://www.jotform.com/app/223042268654455	Get hash	malicious	Browse
	http://dlg.thermoval.mx/vn/mic%20(1)/mic/?e=amxnQGRsZy5kaw==	Get hash	malicious	Browse
	Ambassador.html	Get hash	malicious	Browse
	https://www.dir.cat/es	Get hash	malicious	Browse
	http://ieltsadd.ir/cache/fck_files/file/69583449902.pdf	Get hash	malicious	Browse
	http://steamcommuntly.com	Get hash	malicious	Browse
	https://app.box.com/s/3y3vltx8y58x1v5xrtn0zfaf8kgsaymo	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
addsearch.com	https://nospam.rockford.edu/cgi-mod/openwebmail/openwebmail-viewatt.pl/wsal_report_10012020130019_7Xp_6w0ezREZdsD5O9hb_QMYy.html?action=viewattachment&sessionid=&debugid=1601557219-0f8e373e6d7a2560001-iQ3I8t&server=1019447&attachment_nodeid=0-1&convfrom=none.iso-8859-1&user=admin&password=02c8cfaaf3a4184fa47bdc9b6b4d09fc&et=1601566948&role=admin&secondary_tab=log_view&	Get hash	malicious	Browse	52.166.11.26
	https://urldefense.proofpoint.com/v2/url?u=https-3A__encrypt.barracudanetworks.com_login-3Fnid-3DU2FsdGVkX18eDL4O-252FJ6ZcrqhFKcuDWgiKPEHm0goIz2jh-252FE-252BGPTc8sX7BnqlvTSHYeYqEJ-252FTvaW9xjamGEl1yfwLqFDFxFT3gf1G8Qvw0NAmj6GysC5V68d37MdbSAyCE1x-252Fuzb1D2uj6vpipyXMrVNUN0beFkrrMplm23O-252FV7-252F-252F-252FzOr5TZzQCss8JDV1Zag60jYc-252FTI5UcWDqv4Uy-252B9g7mrc8lL-252FT4LVyNXhINl5NREGsr6uq01I7MfmZwJyHJW6SMbtiUh2WraLNHPtFconw-253D-253D&d=DwMGaQ&c=XGQEjW0Rcg2RdomXChuZ235x-xBBc-wrnaA4kpIJF1c&r=qlUAOfXIX5NWdau8br2wVnl81DoEoFFTMTNlq6o6fEY&m=1GuXppqYMMN-eXXTY_M2Ww5wwLGJGU1njXKF-bI04Ls&s=0TcfYGJYW_a0hyiy6AFwyJOBicsPdT7zouUVf8CDWyM&e=	Get hash	malicious	Browse	52.166.11.26
	https://ess.barracudanetworks.com/log/attachment/1572279812-893454-27231-2034-1-47e92d40b17560b0f50a0b2c568dd206/JFNYB9VFZ9999G8R7UHWYV3ZDYJENS.html	Get hash	malicious	Browse	52.166.11.26
	https://www.hybrid-analysis.com/	Get hash	malicious	Browse	52.166.11.26
www.google.com	Myfile.html	Get hash	malicious	Browse	142.251.143.132
	http://track.employedusa.com/?xtl=20yq56k69gr0wz9tqddp838m89v3affggqjsuiiiovd7q3pz6plrhtqlydiv2drxqzn3yewovkzbnzy9qfet10fz&ei=8147320749@elm.com&originalclickurlb=aHR0cHM6Ly9jYXItYWdlLnRvcD9lPVltOWlMbWhoYldsc2RHOXVRR055WVMxaGNtTXVaMk11WTJFPQ==	Get hash	malicious	Browse	142.250.186.36
	Outstanding Invoice 799853 paid.html	Get hash	malicious	Browse	142.251.143.132
	https://03-111235-cwefw4r9f-whr-ghbw-renfv-w9rnh-g.obs.la-south-2.myhuaweicloud.com/ig9043e5rjg-het59gjnw-0erfkw-0fe9k-0wrjfg-0wrejf.html?AWSAccessKeyId=MQBACYQR6PMPLZ8WJWJH&Expires=1667481208&Signature=m5e6ccmVUwJQYBhZaCx7lFS5RzQ%3D#atl@sampension.dk	Get hash	malicious	Browse	142.251.143.132
	http://www.paltalk.com	Get hash	malicious	Browse	142.251.143.132
	https://s3.amazonaws.com/appforest_uf/f1666681361635x301391878117743170/cameo_script_shared_file_cx.html#nani?amy@steinborn.com	Get hash	malicious	Browse	142.250.186.68
	https://mhlacl24xw3uutqbrqcn.bioch.ru/	Get hash	malicious	Browse	142.251.143.132
	scanner@deaworklab.it_20285264_207382.htm	Get hash	malicious	Browse	142.251.143.132
	http://www.dixonind.com.au/	Get hash	malicious	Browse	142.251.143.132
	AntiForkieTool.exe	Get hash	malicious	Browse	142.251.143.132
	Office365 setup validation.html	Get hash	malicious	Browse	142.251.143.132
	https://sylc.ind.br/iiuo/index.php?set-dunpeardeai=2	Get hash	malicious	Browse	216.58.212.132
	http://www.malachi.co.za	Get hash	malicious	Browse	142.251.143.132
	https://www.jotform.com/app/223042268654455	Get hash	malicious	Browse	142.251.143.132
	http://dlg.thermoval.mx/vn/mic%20(1)/mic/?e=amxnQGRsZy5kaw==	Get hash	malicious	Browse	142.251.143.132
	Ambassador.html	Get hash	malicious	Browse	142.251.143.164
	https://www.dir.cat/es	Get hash	malicious	Browse	142.251.143.132
	http://ieltsadd.ir/cache/fck_files/file/69583449902.pdf	Get hash	malicious	Browse	142.251.143.132
	http://steamcommuntly.com	Get hash	malicious	Browse	142.251.143.132
	https://app.box.com/s/3y3vltx8y58x1v5xrtn0zfaf8kgsaymo	Get hash	malicious	Browse	142.251.143.132
cookies-data.onetrust.io	wzdu46.exe	Get hash	malicious	Browse	104.18.32.192
	https://googleads.g.doubleclick.net/aclk?sa=l&ai=CKPnJo58XY-6XFpi6ywWS9LiIDP6rjZxowq6poYwPsJAfEAEg35i5hQFg8a38haQfoAH27PDeA8gBAagDAcgDwwSqBMwBT9DVjgH_bJrc6MpdicKPQQlqqqERUZmU-SvDt67Q6L2n62LNVm8-4jojFyRll5IOe5sU-GclrIK2IT7fQ_HIWU1eX5UWYO-GFLBsRPhsZ-OHez9KnPiweXl0SAMCWVRzmTjCuywMk3l6hnAJB2X7ptWLHP6wpDhx5AQefYmdmPLaFs3PHnd5SDrpvTE9cdyL42Zm9BQJ2ET1MMZnVtU7LEqwRgHonfSrhiCasJ2GYFFj_ouRavtzpLQ_u2df39_RbnXAnKZegITEkb0JwASczKL9hASgBlGAB_KSjyGoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAffn7EC2AcB0ggSCIjhgBAQARgfMgOqggE6AoBAsQmpaULwqI8KbYAKAZgLAcgLAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&sig=AOD64_0eSMP2gEYH7XL12cC4N0J-MHd-Iw&client=ca-pub-5597111339061035&nb=8&adurl=https://www.winzipdriverupdater.com/du/wddc6/index.php%3Flang%3Dsv%26gclid%3DEAIaIQobChMIrvWJvfOA-gIVGN2yCh0SOg7BEAEYASAAEgLu1PD_BwE	Get hash	malicious	Browse	172.64.155.64
	wzdu53.exe	Get hash	malicious	Browse	104.18.32.192
	https://docs.mktrending.com/marrketend.png	Get hash	malicious	Browse	172.64.155.64

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INCAPSULAUS	https://secure.2checkout.com/affiliate.php?ACCOUNT=LANTECHS&AFFILIATE=120043&PATH=https%3A%2F%2Fiw2zxo.codesandbox.io/?x.o=Y2xpZmYuY2FsaG91bkBzd2dhcy5jb20=	Get hash	malicious	Browse	45.60.14.94
	https://www.spiceworks.com/privacy/	Get hash	malicious	Browse	45.60.13.212
	https://www.spiceworks.com/terms/	Get hash	malicious	Browse	45.60.13.212
	https://email.email.pandadoc.net/c/eJxVT8tOAjEU_Rq6k0xb-phFF0g0xLjwgYArc_saqsyDTscBvt6SaNTkLk5Ozj0PpzDnvOS0YAyNbfzoOzDuLVjlmyNlN7PNeA2batzGw_qDii0KihSE4IJITLGgbKp5QY0vcHbgkpdsMitcDWE_7aCxYFszbVxCO6WxdBwEAaoJpQ4s95zh0nrNJCFFiUL_lmIOB713ahUHh_Zql1LXT-h8Qm7zQdf9upq2zlRGQ-2alKF22FgpGBYCG58bMZFLYS0lliUH670hlBQUtbGCJpwhhba5LB3f6fWcDofX1XLhfEVePg_P-h5F9d6eprWBmHZDzLOgdjEYaPpQNZCG6C4dUFI_Hf7AqwSxcv-Y_qKI7jP037H3EBdjdZo_Jr1eP3G6XNhUa_TzcJFY97B6uBM3j7tatmcmSlHbo0VWaU61l19HUJLQ	Get hash	malicious	Browse	45.223.20.103
	http://www.uncommonegfrmutations.com	Get hash	malicious	Browse	45.60.76.54
	https://docs.transactional.pandadoc.net/c/eJxVT8tOwzAQ_Jr6RuUYJ44PPrSUgqiooEQVPaG1vXnQ1Am2Wx5fTyJRAdIeRqPZeaBKsoxLKjnNyXvn96EHgy-NVTO5_rxe9kYu59XD7vaJiXvnr0ijGGUsoZQneUqpmILMyxKB6QTRCiMnnEYPLoCJTeegnfbgLNjOTB1GUquypAwYXjKpc56lZaIzXqbGplTYVGQpacLLYGAQdIuq8Eckrapj7MPkcjZhy-Gg739dTXcYqAEdD-jiCHNkTJeYCosZGMGAWoMys4ZJi4LnKKzmnJLOV-CaLxh7jouv3lbbQmounzd3_rXYftR6rh3xKvruc1r6Bn3o3LCvBfvej8EkqnPwH3gRwVf4jwmjwuOpCT9ZflHzh9zcFJt99biutk-Z3G3m5PwwSoRbhNQXXyt_Os5Xga9PXe1WxCqZ5DKx7BuFdZNs	Get hash	malicious	Browse	45.223.20.103
	https://onedrive.live.com/?cid=bb4aaf4b9f531701&id=BB4AAF4B9F531701%21122&ithint=file,pdf&authkey=!ANbIdNq63UzmgEM	Get hash	malicious	Browse	45.60.13.207
	https://app.pandadoc.com/document/d18c38ece13c4d970e26ae9e9adc0894a9c0a84b	Get hash	malicious	Browse	45.223.20.103
	https://app.pandadoc.com/document/297c9b88f7d1d58539546728e0c8dceee0f3dd4c	Get hash	malicious	Browse	45.223.20.103
	https://exam101.in/autb/piuorenoctrm	Get hash	malicious	Browse	45.60.22.18
	M09RmKZC3g.elf	Get hash	malicious	Browse	45.60.181.167
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Fcreditscored.top?r=ZGF2aWQucmVlZGVyQGdsb2JhbGZvdW5kcmllcy5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Fdreamonline.top?r=Z2RtQGFyZ2NzLmNvbQ==&usertrack.cookie_name=NovaId&d=DwMFaQ	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Ftech-r.top?r=cGxwYXBwbGljYXRpb25zQG11bHRpc2VydmljZS5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Ftech-r.top?r=cGxwYXBwbGljYXRpb25zQG11bHRpc2VydmljZS5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	Myn7eh9vQ6.elf	Get hash	malicious	Browse	107.154.62.123
	PjzRDP3Bzp.elf	Get hash	malicious	Browse	107.154.123.250
	aPTFhkPRDD.exe	Get hash	malicious	Browse	45.60.22.24
	aPTFhkPRDD.exe	Get hash	malicious	Browse	45.60.22.24
	https://santanderenlinea.solicitudessesel.com.mx/solicitud-tarjeta-de-credito/paso1/santander-aeromexico-infinite?utm_source=Santander&utm_medium=Aeromexico&utm_campaign=BoardingPass	Get hash	malicious	Browse	45.60.197.69

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	PF00015722EX2.docx.doc	Get hash	malicious	Browse	45.60.31.34
	Dokumente 2022.02.11_1227.xls	Get hash	malicious	Browse	45.60.31.34
	Rechnung 2022.02.11_1233.xls	Get hash	malicious	Browse	45.60.31.34
	Payment Details.xlsx	Get hash	malicious	Browse	45.60.31.34
	https://cssamares-my.sharepoint.com/:o:/g/personal/barbara_jacques001_csssamares_gouv_qc_ca/EmEkY2pXv8dBmepJcN2zZ-oB_N-SvXJsN0E5rRMIzcWOZQ?e=0pRe0A	Get hash	malicious	Browse	45.60.31.34
	Payment Advice.xlsx	Get hash	malicious	Browse	45.60.31.34
	Ontario Refrigeration statement - 01.11.2022.xlsx	Get hash	malicious	Browse	45.60.31.34
	Excel Statement001.xlsx	Get hash	malicious	Browse	45.60.31.34
	S O Supply INV4322489.xlsx	Get hash	malicious	Browse	45.60.31.34
	file.xlsx	Get hash	malicious	Browse	45.60.31.34
	file.xlsx	Get hash	malicious	Browse	45.60.31.34
	Leeswood_Quo_Upd123.xlsx	Get hash	malicious	Browse	45.60.31.34
	BCN#U00ae.docx	Get hash	malicious	Browse	45.60.31.34
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.31.34
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.31.34
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.31.34
	ZU2XrHhhPl.vbs	Get hash	malicious	Browse	45.60.31.34
	0_202210194007389131.xls	Get hash	malicious	Browse	45.60.31.34
	3_202210640813657219.xls	Get hash	malicious	Browse	45.60.31.34
	1_202210473920042668.xls	Get hash	malicious	Browse	45.60.31.34

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IR_Plan_Template.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Thu Nov 3 20:31:13 2022, length=324449, window=hide
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	4.582103599958572
Encrypted:	false
SSDEEP:	12:8F+/56A0gXg/XAlCPCHaXNBQtB/xQpX+WMX1RY5i0Plp4icvbb3wmLXPltNDtZ30:8opk/XT9SIiFRZ0rreP3wiX1Dv3qKu7D
MD5:	D5A1A1A065476BF3256DC9E3580C775D
SHA1:	0AC50D5BBDF04BA37D35AFAE7AD935166FF395E4
SHA-256:	A75B44BD4D459833F8E9E34A3F74C70DEC4EBE74150BB0E0D4C96D5EB8BA8711
SHA-512:	673641042004B641738A760AA2E4342CCBE9D906463B1A6316DA56DE78DEEBD2A3B20AAFD37AF63227DABB2A6A0A25BE916CEF2608D60BA41B7393709AE9EE8A
Malicious:	false
Reputation:	low
Preview:	L..................F.... .......3......3...6{.....a............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.a...cU. .IR_PLA~1.DOC..X......hT..hT.....r.....'...............I.R._.P.l.a.n._.T.e.m.p.l.a.t.e...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\358075\Users.user\Desktop\IR_Plan_Template.docx.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.R._.P.l.a.n._.T.e.m.p.l.a.t.e...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......358075..........D_....3N...W...9G..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [misc]
Category:	modified
Size (bytes):	84
Entropy (8bit):	4.659709614401672
Encrypted:	false
SSDEEP:	3:bDuMJl0uJEfobd6lmxWnKDEfobd6lv:bCmKfoc5Tfoc1
MD5:	B7C1E21569920BE673696296FFF7F8E0
SHA1:	BD73DE6B142B73898505D5B31BF01604E6A53213
SHA-256:	7A8AB1FCF7EE337D58D1B2B2227839C83F8B1AE24DB98F6CBCB5B7FC03E84E1D
SHA-512:	D8CC9A62C884088C9AC0C6B86C0F624F709DCDDAF42FC7BF88145995CC2B6FD3AE3AAA25568A23827DC55474E666966DF366046F72A65D2CB708CA3D0F7AB676
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..IR_Plan_Template.LNK=0..[misc]..IR_Plan_Template.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\Desktop\~$_Plan_Template.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.977242825515052
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	IR_Plan_Template.docx
File size:	324449
MD5:	15459297bde9f9080fc8831ed4269bd4
SHA1:	dc70feb680f005b6c436bf0234e5523e7085d840
SHA256:	6250558c933ddfca499f074ac61c78acd7a9d7d259c7f37bead832b6a9eeb4be
SHA512:	d74c0382aebd38c83533a3dc081bdc9a4dca829c0fe125812556a56f81f866007a307aae4f1ddba29e237ce826db76839835bd98729f3562ddc4e2ba41bebfc2
SSDEEP:	6144:nLsCiHidjxzomV5Lb7JhS/I3MagmWJsU1WrLE6moW9XgCx:nLy4jJoELbDSgDUWrL1CXg0
TLSH:	69641272C32934FCD462EA74F41A8DB47A0C3C9A9599333F98588F74F2B50D66298B58
File Content Preview:	PK..........!....R............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

• WINWORD.EXE
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• WINWORD.EXE
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	14:31:14
Start date:	03/11/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f520000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	14:31:45
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	4
Start time:	14:31:46
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,3977379926490783070,1402708823176081004,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1432 /prefetch:8
Imagebase:
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	7
Start time:	14:31:47
Start date:	03/11/2022
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Imagebase:
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-5T9DW3B
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: Iframe src: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LdRaE8aAAAAAOB9CLy-hHWeafmpvmYkeMpCXrWO&co=aHR0cHM6Ly93d3cuc2Fucy5vcmc6NDQz&hl=en&v=Ixi5IiChXmIG6rRkjUa1qXHT&size=invisible&cb=n2nn4ml0cryv
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-5T9DW3B
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: Iframe src: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LdRaE8aAAAAAOB9CLy-hHWeafmpvmYkeMpCXrWO&co=aHR0cHM6Ly93d3cuc2Fucy5vcmc6NDQz&hl=en&v=Ixi5IiChXmIG6rRkjUa1qXHT&size=invisible&cb=n2nn4ml0cryv

Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: HTML title missing
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: HTML title missing

Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: No <meta name="author".. found
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: No <meta name="author".. found

Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: No <meta name="copyright".. found
Source: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaser	HTTP Parser: No <meta name="copyright".. found

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /reading-room/whitepapers/incident/incident-handlers-handbook-33901 HTTP/1.1Host: www.sans.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /white-papers/33901/ HTTP/1.1Host: www.sans.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/css/719ad0c.css HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/css/dc45d19.css HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/5c4b68b.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/843c88b.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/85541be.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: bgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/ef26c41.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /white-papers/_nuxt/f893079.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=LjTzU43yt0Gzcxe0Lx1sNAAAAAAC9ovsaQ17oCxsdLGGhWKk
Source: global traffic	HTTP traffic detected: GET /cyber-security-training-overview/?msc=nav-teaser HTTP/1.1Host: www.sans.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV
Source: global traffic	HTTP traffic detected: GET /_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=2&cb=939471789 HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/white-papers/33901/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV
Source: global traffic	HTTP traffic detected: GET /_nuxt/css/fb5e5ac.css HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/css/291a06d.css HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/1b76987.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/f017cee.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/d5b644b.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/07fff83.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/ab87e22.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/52315a7.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/0a44ab6.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/6c34979.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/14dfdda.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/2333d81.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_nuxt/caebd93.js HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu
Source: global traffic	HTTP traffic detected: GET /_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=10&cb=1423541351 HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=*; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1
Source: global traffic	HTTP traffic detected: GET /_nuxt/fonts/ClearSans-Regular.e91449d.woff HTTP/1.1Host: www.sans.orgConnection: keep-aliveOrigin: https://www.sans.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://www.sans.org/_nuxt/css/fb5e5ac.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=*; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1
Source: global traffic	HTTP traffic detected: GET /_nuxt/fonts/ClearSans-Bold.6667568.woff HTTP/1.1Host: www.sans.orgConnection: keep-aliveOrigin: https://www.sans.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://www.sans.org/_nuxt/css/fb5e5ac.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=*; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1
Source: global traffic	HTTP traffic detected: GET /_nuxt/fonts/ClearSans-Regular.e91449d.woff HTTP/1.1Host: www.sans.orgConnection: keep-aliveOrigin: https://www.sans.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://www.sans.org/_nuxt/css/fb5e5ac.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=*; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1
Source: global traffic	HTTP traffic detected: GET /_Incapsula_Resource?SWKMTFSR=1&e=0.48620199341391523 HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sans.org/cyber-security-training-overview/?msc=nav-teaserAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1; ___utmvc=mZrY9TjCVgNB1VfTWYlykjdE9PIngTUB081LbjhuIbsH1Gf9DLcGu7nYPeWPwOG4RHKUc9j6F0vYhUS6qRBvHbk/95Ma5bwPZuiarSX3ylkpWtxNrmTBMuYU6pTFnCyVQdnDmFwsjTQeS7jjxFXFTht8yBp3wGdboZdn78TGM/W/oFSAwSqy5OkoBkJepTTJGyqoYGhIt1Mum16VJVlsbKj6DAOBuqlFVflnjvsr5VdVJNxLLBlLQq4tMo1XSEAnyiPB4b3YlwzvXN+ERegbXFCJs5CwtsqeaNIDGhbfLTfe32Tl4merd9knQo7P1/CwW4KGJnlAPFTNSUGiybvQOoUaQn+lO6In35yO7TZezn3U3Y5WAbOULoRDfDIzYvtu+tZbAWT6OQDlH2o6jgPqD+9L1x37+DXHwghSAi4hYadlgQv8VAAjIQShskTa1q9pfFWsX/hkavxlFLdh5ktK+Cx7K/MRQOnICJEBwDWZieCkrTTRmQkCoyXTIgBuniAM1CWtvPI5VZJoY8ts4JdEW+Ez7Z+et0rChNxoNDEsbrSxfcImz66AJefOozZjm66CCTb9ImHNubhPjAUD9yh8zV0zyHHs6LsgA+tD8MOAHJd91mVB4KM4fAv5aL5WIf4f2IlhaCfrORsj+JlY/5oSRzySDR0CgsVDWBxN0MX4s+ROiryni0/CNfWCjDDOIuo5aBe69fgRZ7XmNaJ1+PnJ5JRSn7Fnmu4ogCfTgOF7tfwaaZTYDzEi3TCdxiK+3vUkui9pMY3EPd61EK+YIiWIVxYloIkQMKqFSXp5X9Eq3OXM98Ducg4xh/weJVfKwbTZcvlwvSxlu20RAZA28CIM/8pp+tejKCT4QLyXCqJYup8VisiYs/MmJiTAEjuCOZaHh/P+g0XUUs9WZSDytkoqd8yCwnOw/QAM9aZzU2LA8szRIU2h/niIaDHojjvyISLn9tmnBdARz8/pTWJGDb/lqj+owHNx6cu20P6d9DRDrowXjZd+R2Y1x++KDB3G7Tns7/mge6fX6Jm7v2TAGEyLM2ah9NwHCYpTI1Ue0CJ7rV/sdg81G8QESFm5NxSoVlSmiRtPZGFm+HU07qPmw2Lik9FZ1RvmAsgg2HxlZDFWWrCgkFbkmQ1u8XYiWng2E4NqgyvXcwYr1CTtsGfuxuCJFlfNOu1SpV4YHZQh4m5eAMAN59ZbO/XS/g9P1kL6vcMGNBZRZkBur0IAB7A7WudKqhUNTzk3zRCQnIHZ3xjtbCNR/SkdYCnanflmMkqXjEUyWZZqwYWn1QQ+GEQSaZo2agxZbX2vgLmbe63Tasdnl3khjbqhglfBufUGo+Mb0HfrsKNVXF0tqAxrWyNes030SMUYm+uhH28YEfnDA8Lnci/7a3Dq3IbBzXokd/wHQZEKwYT3GMWbazrw9eHzPd9DeXoNt+YpmJe0KH30Sla7b6smxLseLQkPnlRcQR+FKwEgn5clJTdCgw+GzyYsDvOESJVO/IbKaffbRut4NdykvJzQJZeulOQxg42uNFfsMMnSwYCVaM1rAPdKuTwDqf5vBnvEU8Cd2CR9of39Dj8Phyyxn7GQi6Ow1Rn9+MA2xzOG7+iYWRkJzDvDd68bzVKe+h5PUE1XFnQZCfz2xNF0m6pJ2lSUTSJJXtxdd0ezvRdM8exLEy+TWBkcQTKC68Jz2JtrOXXQLtUMsYxYcqG4ilrat4SfzK998lmX7yoj7ehtPPlBaQdZmGfOKk3nGIzXTWa36SYUSI2CSb4XohiOWMhzKl4bxRZi7XqJqUCzgt8nIJ8i+A9ZWw1UBAfn1xoVlQdzZdR2KsmhGZ5g876rIxhslOi+oesldFejAlJ6rra5HOqIRBulOU4etZko7A2XRSyEeJQl/mc5R1bhzwvZq/hk83Ebc6iFhR9pM3yUW4
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sans.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1; ___utmvc=mZrY9TjCVgNB1VfTWYlykjdE9PIngTUB081LbjhuIbsH1Gf9DLcGu7nYPeWPwOG4RHKUc9j6F0vYhUS6qRBvHbk/95Ma5bwPZuiarSX3ylkpWtxNrmTBMuYU6pTFnCyVQdnDmFwsjTQeS7jjxFXFTht8yBp3wGdboZdn78TGM/W/oFSAwSqy5OkoBkJepTTJGyqoYGhIt1Mum16VJVlsbKj6DAOBuqlFVflnjvsr5VdVJNxLLBlLQq4tMo1XSEAnyiPB4b3YlwzvXN+ERegbXFCJs5CwtsqeaNIDGhbfLTfe32Tl4merd9knQo7P1/CwW4KGJnlAPFTNSUGiybvQOoUaQn+lO6In35yO7TZezn3U3Y5WAbOULoRDfDIzYvtu+tZbAWT6OQDlH2o6jgPqD+9L1x37+DXHwghSAi4hYadlgQv8VAAjIQShskTa1q9pfFWsX/hkavxlFLdh5ktK+Cx7K/MRQOnICJEBwDWZieCkrTTRmQkCoyXTIgBuniAM1CWtvPI5VZJoY8ts4JdEW+Ez7Z+et0rChNxoNDEsbrSxfcImz66AJefOozZjm66CCTb9ImHNubhPjAUD9yh8zV0zyHHs6LsgA+tD8MOAHJd91mVB4KM4fAv5aL5WIf4f2IlhaCfrORsj+JlY/5oSRzySDR0CgsVDWBxN0MX4s+ROiryni0/CNfWCjDDOIuo5aBe69fgRZ7XmNaJ1+PnJ5JRSn7Fnmu4ogCfTgOF7tfwaaZTYDzEi3TCdxiK+3vUkui9pMY3EPd61EK+YIiWIVxYloIkQMKqFSXp5X9Eq3OXM98Ducg4xh/weJVfKwbTZcvlwvSxlu20RAZA28CIM/8pp+tejKCT4QLyXCqJYup8VisiYs/MmJiTAEjuCOZaHh/P+g0XUUs9WZSDytkoqd8yCwnOw/QAM9aZzU2LA8szRIU2h/niIaDHojjvyISLn9tmnBdARz8/pTWJGDb/lqj+owHNx6cu20P6d9DRDrowXjZd+R2Y1x++KDB3G7Tns7/mge6fX6Jm7v2TAGEyLM2ah9NwHCYpTI1Ue0CJ7rV/sdg81G8QESFm5NxSoVlSmiRtPZGFm+HU07qPmw2Lik9FZ1RvmAsgg2HxlZDFWWrCgkFbkmQ1u8XYiWng2E4NqgyvXcwYr1CTtsGfuxuCJFlfNOu1SpV4YHZQh4m5eAMAN59ZbO/XS/g9P1kL6vcMGNBZRZkBur0IAB7A7WudKqhUNTzk3zRCQnIHZ3xjtbCNR/SkdYCnanflmMkqXjEUyWZZqwYWn1QQ+GEQSaZo2agxZbX2vgLmbe63Tasdnl3khjbqhglfBufUGo+Mb0HfrsKNVXF0tqAxrWyNes030SMUYm+uhH28YEfnDA8Lnci/7a3Dq3IbBzXokd/wHQZEKwYT3GMWbazrw9eHzPd9DeXoNt+YpmJe0KH30Sla7b6smxLseLQkPnlRcQR+FKwEgn5clJTdCgw+GzyYsDvOESJVO/IbKaffbRut4NdykvJzQJZeulOQxg42uNFfsMMnSwYCVaM1rAPdKuTwDqf5vBnvEU8Cd2CR9of39Dj8Phyyxn7GQi6Ow1Rn9+MA2xzOG7+iYWRkJzDvDd68bzVKe+h5PUE1XFnQZCfz2xNF0m6pJ2lSUTSJJXtxdd0ezvRdM8exLEy+TWBkcQTKC68Jz2JtrOXXQLtUMsYxYcqG4ilrat4SfzK998lmX7yoj7ehtPPlBaQdZmGfOKk3nGIzXTWa36SYUSI2CSb4XohiOWMhzKl4bxRZi7XqJqUCzgt8nIJ8i+A9ZWw1UBAfn1xoVlQdzZdR2KsmhGZ5g876rIxhslOi+oesldFejAlJ6rra5HOqIRBulOU4etZko7A2XRSyEeJQl/mc5R1bhzwvZq/hk83Ebc6iFhR9pM3yUW4dKuLKX1d4EebVWkRZjFLzzOk1TjW2JEy3xNkd4pHE2D8alFPgPyjHOuumup88PujvLPpA9kck+ro4WiMMEPMahgJLSu6MQJk+1U+
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sans.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1; ___utmvc=mZrY9TjCVgNB1VfTWYlykjdE9PIngTUB081LbjhuIbsH1Gf9DLcGu7nYPeWPwOG4RHKUc9j6F0vYhUS6qRBvHbk/95Ma5bwPZuiarSX3ylkpWtxNrmTBMuYU6pTFnCyVQdnDmFwsjTQeS7jjxFXFTht8yBp3wGdboZdn78TGM/W/oFSAwSqy5OkoBkJepTTJGyqoYGhIt1Mum16VJVlsbKj6DAOBuqlFVflnjvsr5VdVJNxLLBlLQq4tMo1XSEAnyiPB4b3YlwzvXN+ERegbXFCJs5CwtsqeaNIDGhbfLTfe32Tl4merd9knQo7P1/CwW4KGJnlAPFTNSUGiybvQOoUaQn+lO6In35yO7TZezn3U3Y5WAbOULoRDfDIzYvtu+tZbAWT6OQDlH2o6jgPqD+9L1x37+DXHwghSAi4hYadlgQv8VAAjIQShskTa1q9pfFWsX/hkavxlFLdh5ktK+Cx7K/MRQOnICJEBwDWZieCkrTTRmQkCoyXTIgBuniAM1CWtvPI5VZJoY8ts4JdEW+Ez7Z+et0rChNxoNDEsbrSxfcImz66AJefOozZjm66CCTb9ImHNubhPjAUD9yh8zV0zyHHs6LsgA+tD8MOAHJd91mVB4KM4fAv5aL5WIf4f2IlhaCfrORsj+JlY/5oSRzySDR0CgsVDWBxN0MX4s+ROiryni0/CNfWCjDDOIuo5aBe69fgRZ7XmNaJ1+PnJ5JRSn7Fnmu4ogCfTgOF7tfwaaZTYDzEi3TCdxiK+3vUkui9pMY3EPd61EK+YIiWIVxYloIkQMKqFSXp5X9Eq3OXM98Ducg4xh/weJVfKwbTZcvlwvSxlu20RAZA28CIM/8pp+tejKCT4QLyXCqJYup8VisiYs/MmJiTAEjuCOZaHh/P+g0XUUs9WZSDytkoqd8yCwnOw/QAM9aZzU2LA8szRIU2h/niIaDHojjvyISLn9tmnBdARz8/pTWJGDb/lqj+owHNx6cu20P6d9DRDrowXjZd+R2Y1x++KDB3G7Tns7/mge6fX6Jm7v2TAGEyLM2ah9NwHCYpTI1Ue0CJ7rV/sdg81G8QESFm5NxSoVlSmiRtPZGFm+HU07qPmw2Lik9FZ1RvmAsgg2HxlZDFWWrCgkFbkmQ1u8XYiWng2E4NqgyvXcwYr1CTtsGfuxuCJFlfNOu1SpV4YHZQh4m5eAMAN59ZbO/XS/g9P1kL6vcMGNBZRZkBur0IAB7A7WudKqhUNTzk3zRCQnIHZ3xjtbCNR/SkdYCnanflmMkqXjEUyWZZqwYWn1QQ+GEQSaZo2agxZbX2vgLmbe63Tasdnl3khjbqhglfBufUGo+Mb0HfrsKNVXF0tqAxrWyNes030SMUYm+uhH28YEfnDA8Lnci/7a3Dq3IbBzXokd/wHQZEKwYT3GMWbazrw9eHzPd9DeXoNt+YpmJe0KH30Sla7b6smxLseLQkPnlRcQR+FKwEgn5clJTdCgw+GzyYsDvOESJVO/IbKaffbRut4NdykvJzQJZeulOQxg42uNFfsMMnSwYCVaM1rAPdKuTwDqf5vBnvEU8Cd2CR9of39Dj8Phyyxn7GQi6Ow1Rn9+MA2xzOG7+iYWRkJzDvDd68bzVKe+h5PUE1XFnQZCfz2xNF0m6pJ2lSUTSJJXtxdd0ezvRdM8exLEy+TWBkcQTKC68Jz2JtrOXXQLtUMsYxYcqG4ilrat4SfzK998lmX7yoj7ehtPPlBaQdZmGfOKk3nGIzXTWa36SYUSI2CSb4XohiOWMhzKl4bxRZi7XqJqUCzgt8nIJ8i+A9ZWw1UBAfn1xoVlQdzZdR2KsmhGZ5g876rIxhslOi+oesldFejAlJ6rra5HOqIRBulOU4etZko7A2XRSyEeJQl/mc5R1bhzwvZq/hk83Ebc6iFhR9pM3yUW4dKuLKX1d4EebVWkRZjFLzzOk1TjW2JEy3xNkd4pHE2D8alFPgPyjHOuumup88PujvLPpA9kck+ro4WiMMEPMahgJLSu6MQJk+1U+
Source: global traffic	HTTP traffic detected: GET /emea/ HTTP/1.1Host: www.sans.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sans.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visid_incap_1329355=UGzCdwN2TN+XTU9QiBGe3/jCY2MAAAAAQUIPAAAAAABtj6shisXlypivusmNM5rB; nlbi_1329355=OWRxMR/8tlnAUPGwLx1sNAAAAAD67JmrWrN1VDZkKY4sCen0; incap_ses_1348_1329355=yc+vesDGVTeDQplTdQ+1EvjCY2MAAAAAmeD7R6f7RqN6WbygLoJ34Q==; nlbi_1329355_2448318=XMjif8cU6ywx1p3mLx1sNAAAAAAxhgbwRyFmAUD3ucn6PJEV; nlbi_1329355_2277483=kMg9Rkht7x7uqUPaLx1sNAAAAADAYXnEZiYlOWL7SZPDOedu; spses.6b32=; spid.6b32=4c6b9fd5-b5fb-4cdb-864e-e1fff6ba9fa2.1667511197.1.1667511197..89e07166-abb1-4a5e-ae76-256375d4f158..b4cd4383-3804-4f93-a1e7-30a8cdd09a9f.1667511196617.1; ___utmvc=mZrY9TjCVgNB1VfTWYlykjdE9PIngTUB081LbjhuIbsH1Gf9DLcGu7nYPeWPwOG4RHKUc9j6F0vYhUS6qRBvHbk/95Ma5bwPZuiarSX3ylkpWtxNrmTBMuYU6pTFnCyVQdnDmFwsjTQeS7jjxFXFTht8yBp3wGdboZdn78TGM/W/oFSAwSqy5OkoBkJepTTJGyqoYGhIt1Mum16VJVlsbKj6DAOBuqlFVflnjvsr5VdVJNxLLBlLQq4tMo1XSEAnyiPB4b3YlwzvXN+ERegbXFCJs5CwtsqeaNIDGhbfLTfe32Tl4merd9knQo7P1/CwW4KGJnlAPFTNSUGiybvQOoUaQn+lO6In35yO7TZezn3U3Y5WAbOULoRDfDIzYvtu+tZbAWT6OQDlH2o6jgPqD+9L1x37+DXHwghSAi4hYadlgQv8VAAjIQShskTa1q9pfFWsX/hkavxlFLdh5ktK+Cx7K/MRQOnICJEBwDWZieCkrTTRmQkCoyXTIgBuniAM1CWtvPI5VZJoY8ts4JdEW+Ez7Z+et0rChNxoNDEsbrSxfcImz66AJefOozZjm66CCTb9ImHNubhPjAUD9yh8zV0zyHHs6LsgA+tD8MOAHJd91mVB4KM4fAv5aL5WIf4f2IlhaCfrORsj+JlY/5oSRzySDR0CgsVDWBxN0MX4s+ROiryni0/CNfWCjDDOIuo5aBe69fgRZ7XmNaJ1+PnJ5JRSn7Fnmu4ogCfTgOF7tfwaaZTYDzEi3TCdxiK+3vUkui9pMY3EPd61EK+YIiWIVxYloIkQMKqFSXp5X9Eq3OXM98Ducg4xh/weJVfKwbTZcvlwvSxlu20RAZA28CIM/8pp+tejKCT4QLyXCqJYup8VisiYs/MmJiTAEjuCOZaHh/P+g0XUUs9WZSDytkoqd8yCwnOw/QAM9aZzU2LA8szRIU2h/niIaDHojjvyISLn9tmnBdARz8/pTWJGDb/lqj+owHNx6cu20P6d9DRDrowXjZd+R2Y1x++KDB3G7Tns7/mge6fX6Jm7v2TAGEyLM2ah9NwHCYpTI1Ue0CJ7rV/sdg81G8QESFm5NxSoVlSmiRtPZGFm+HU07qPmw2Lik9FZ1RvmAsgg2HxlZDFWWrCgkFbkmQ1u8XYiWng2E4NqgyvXcwYr1CTtsGfuxuCJFlfNOu1SpV4YHZQh4m5eAMAN59ZbO/XS/g9P1kL6vcMGNBZRZkBur0IAB7A7WudKqhUNTzk3zRCQnIHZ3xjtbCNR/SkdYCnanflmMkqXjEUyWZZqwYWn1QQ+GEQSaZo2agxZbX2vgLmbe63Tasdnl3khjbqhglfBufUGo+Mb0HfrsKNVXF0tqAxrWyNes030SMUYm+uhH28YEfnDA8Lnci/7a3Dq3IbBzXokd/wHQZEKwYT3GMWbazrw9eHzPd9DeXoNt+YpmJe0KH30Sla7b6smxLseLQkPnlRcQR+FKwEgn5clJTdCgw+GzyYsDvOESJVO/IbKaffbRut4NdykvJzQJZeulOQxg42uNFfsMMnSwYCVaM1rAPdKuTwDqf5vBnvEU8Cd2CR9of39Dj8Phyyxn7GQi6Ow1Rn9+MA2xzOG7+iYWRkJzDvDd68bzVKe+h5PUE1XFnQZCfz2xNF0m6pJ2lSUTSJJXtxdd0ezvRdM8exLEy+TWBkcQTKC68Jz2JtrOXXQLtUMsYxYcqG4ilrat4SfzK998lmX7yoj7ehtPPlBaQdZmGfOKk3nGIzXTWa36SYUSI2CSb4XohiOWMhzKl4bxRZi7XqJqUCzgt8nIJ8i+A9ZWw1UBAfn1xoVlQdzZdR2KsmhGZ5g876rIxhslOi+oesldFejAlJ6rra5HOqIRBulOU4etZko7A2XRSyEeJQl/mc5R1bhzwvZq/hk83Ebc6iFhR9pM3yUW4dKuLKX1d4EebVWkRZjFLzzOk1TjW2JEy3xNkd4pHE2D8alFPgPyjHOuumup88PujvLPpA9kck+ro4WiMMEPMahgJLSu6MQJ
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: www.sans.org
Source: global traffic	HTTP traffic detected: GET /emea/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: www.sans.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443

Source: document.xml	String found in binary or memory: https://csrc.nist.gov/projects/risk-management
Source: document.xml	String found in binary or memory: https://www.eugdpr.org/key-changes.html
Source: document.xml	String found in binary or memory: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Source: document.xml	String found in binary or memory: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
Source: document.xml	String found in binary or memory: https://www.pcisecuritystandards.org/documents/PCI_SSC_PFI_Guidance.pdf
Source: document.xml	String found in binary or memory: https://www.sarbanes-oxley-101.com/

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Network device logs, Network intrusion detection system, Packet capture, Process use of network, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IR_Plan_Template.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\mso6078.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IR_Plan_Template.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$_Plan_Template.docx

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXEPID: 940, Parent PID: 576

General

File Activities

File Opened

File Created

File Deleted

File Moved

File Written

File Read

File Attributes Queried

Directory Queried

Other File Operations

Windows Analysis Report
IR_Plan_Template.docx