Edit tour

Windows Analysis Report
BL 248436935 CNTR MRKU9180226.docx.doc

Overview

General Information

Sample name:BL 248436935 CNTR MRKU9180226.docx.doc
Analysis ID:1647704
MD5:d4409205b193e0790bb72cd954812833
SHA1:a96d542ec49c29e5c71a620ee61343075e53b96c
SHA256:8ffa58fc07d41fd5d0b67467cfe731ca8d05de3a075ed9f7e22fcd31b3339d61
Tags:docdocxuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains an external reference to another file
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • WINWORD.EXE (PID: 7848 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49718, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7848, Protocol: tcp, SourceIp: 162.19.137.157, SourceIsIpv6: false, SourcePort: 443
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T07:30:37.171113+010020283713Unknown Traffic192.168.2.449718162.19.137.157443TCP
2025-03-25T07:30:38.726735+010020283713Unknown Traffic192.168.2.449720162.19.137.157443TCP
2025-03-25T07:30:39.469261+010020283713Unknown Traffic192.168.2.449723162.19.137.157443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T07:30:38.254723+010018100051Potentially Bad Traffic192.168.2.449719162.19.137.157443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: BL 248436935 CNTR MRKU9180226.docx.docVirustotal: Detection: 16%Perma Link
Source: BL 248436935 CNTR MRKU9180226.docx.docReversingLabs: Detection: 19%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: global trafficDNS query: name: t.emobility.energy
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49718 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49718
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49719
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49720
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49723
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49727 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49727
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.4:49728
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 162.19.137.157:443
Source: winword.exeMemory has grown: Private usage: 1MB later: 70MB

Networking

barindex
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49719 -> 162.19.137.157:443
Source: Joe Sandbox ViewIP Address: 162.19.137.157 162.19.137.157
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49718 -> 162.19.137.157:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 162.19.137.157:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49723 -> 162.19.137.157:443
Source: global trafficHTTP traffic detected: GET /NHVI4G?&squid=roasted HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /NHVI4G?&squid=roasted HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: t.emobility.energy
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Mar 2025 06:30:39 GMTServer: Apache/2.4.62 (Debian)X-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Content-Type: text/html; charset=utf-8Content-Length: 4645Vary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, AcceptConnection: close
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Mar 2025 06:30:41 GMTServer: Apache/2.4.62 (Debian)X-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Content-Type: text/html; charset=utf-8Content-Length: 4645Vary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, AcceptConnection: close
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: classification engineClassification label: mal60.evad.winDOC@2/1@1/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ 248436935 CNTR MRKU9180226.docx.docJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{540EB9E7-BAA5-4F85-9E9B-34F1399EC662} - OProcSessId.datJump to behavior
Source: BL 248436935 CNTR MRKU9180226.docx.docOLE indicator, Word Document stream: true
Source: BL 248436935 CNTR MRKU9180226.docx.docOLE document summary: title field not present or empty
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: BL 248436935 CNTR MRKU9180226.docx.docVirustotal: Detection: 16%
Source: BL 248436935 CNTR MRKU9180226.docx.docReversingLabs: Detection: 19%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: BL 248436935 CNTR MRKU9180226.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: BL 248436935 CNTR MRKU9180226.docx.docInitial sample: OLE zip file path = word/media/image2.emf
Source: BL 248436935 CNTR MRKU9180226.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: BL 248436935 CNTR MRKU9180226.docx.docInitial sample: OLE summary lastprinted = 2020-10-16 02:53:17
Source: BL 248436935 CNTR MRKU9180226.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: https://t.emobility.energy/nhvi4g?&squid=roasted
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
Path Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Exploitation for Client Execution
Boot or Logon Initialization Scripts1
Extra Window Memory Injection
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647704 Sample: BL 248436935 CNTR MRKU91802... Startdate: 25/03/2025 Architecture: WINDOWS Score: 60 9 t.emobility.energy 2->9 11 host1.emobility.energy 2->11 15 Suricata IDS alerts for network traffic 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Contains an external reference to another file 2->19 6 WINWORD.EXE 152 99 2->6         started        signatures3 process4 dnsIp5 13 host1.emobility.energy 162.19.137.157, 443, 49718, 49719 CENTURYLINK-US-LEGACY-QWESTUS United States 6->13

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
BL 248436935 CNTR MRKU9180226.docx.doc16%VirustotalBrowse
BL 248436935 CNTR MRKU9180226.docx.doc19%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://t.emobility.energy/4040%Avira URL Cloudsafe
https://t.emobility.energy/NHVI4G?&squid=roasted0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
host1.emobility.energy
162.19.137.157
truefalse
    high
    s-0005.dual-s-msedge.net
    52.123.128.14
    truefalse
      high
      t.emobility.energy
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://t.emobility.energy/NHVI4G?&squid=roastedtrue
        • Avira URL Cloud: safe
        unknown
        https://t.emobility.energy/404true
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        162.19.137.157
        host1.emobility.energyUnited States
        209CENTURYLINK-US-LEGACY-QWESTUSfalse
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1647704
        Start date and time:2025-03-25 07:29:26 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 35s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:23
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:BL 248436935 CNTR MRKU9180226.docx.doc
        Detection:MAL
        Classification:mal60.evad.winDOC@2/1@1/1
        Cookbook Comments:
        • Found application associated with file extension: .doc
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.0.91, 184.31.69.3, 52.109.16.112, 52.111.251.19, 52.111.251.16, 52.111.251.17, 52.111.251.18, 23.196.3.185, 23.196.3.178, 52.123.128.14, 40.126.24.146, 20.109.210.53
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, ncus-azsc-000.roaming.officeapps.live.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, ocsp.digicert.com, login.live.com, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, e26769.d
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        No simulations
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        162.19.137.157PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
          SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                  CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                    PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                      PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                        PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                          Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-0005.dual-s-msedge.netPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            Invoice#1427743190.emlGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            Sbafla response to shift in trend.msgGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            original (2).emlGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.128.14
                            702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.128.14
                            EXTERNAL Cash Flow Analysis Final Review Needed Before Submission.msgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                            • 52.123.128.14
                            host1.emobility.energyPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CENTURYLINK-US-LEGACY-QWESTUSPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            https://tinyurl.com/SA-RecyclingGet hashmaliciousUnknownBrowse
                            • 162.19.138.82
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            https://tinyurl.com/2x5dks36__;!!KtM2tloZCg!t4Gwb4Io82PLGf5Ziyn1ynf2MK2R8tVwoHlt6AQrinUFsCCwJRl23VZd9oJ2PaWibwt0lcEQuPw3Iyz8vMIkjw$Get hashmaliciousUnknownBrowse
                            • 162.19.138.116
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a0e9f5d64349fb13191bc781f81f42e1PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            ysxekL7sOS.exeGet hashmaliciousLummaCBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            U7248e&f.exeGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            3jEg2t38ra.exeGet hashmaliciousLummaC Stealer, Stealc, VidarBrowse
                            • 162.19.137.157
                            mzJ9X7kc28.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            9GNLDc2CHH.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            NHZXqeW3OJ.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            jx22fssg2d.exeGet hashmaliciousLummaC StealerBrowse
                            • 162.19.137.157
                            37f463bf4616ecd445d4a1937da06e19GEwWDGafs9.exeGet hashmaliciousClipboard HijackerBrowse
                            • 162.19.137.157
                            Employee Satisfaction Survey 2025.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            • 162.19.137.157
                            Quotation ECDXB0007432025CJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 162.19.137.157
                            3jEg2t38ra.exeGet hashmaliciousLummaC Stealer, Stealc, VidarBrowse
                            • 162.19.137.157
                            JpPY0mRA9f.exeGet hashmaliciousVidarBrowse
                            • 162.19.137.157
                            AjRfCGo2mb.exeGet hashmaliciousVidarBrowse
                            • 162.19.137.157
                            cfKieT3lkP.exeGet hashmaliciousVidarBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            jn8DY8kfrM.msiGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            rIMG523000010722100013267543polyhalogen.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • 162.19.137.157
                            No context
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):4.7887095547632414
                            Encrypted:false
                            SSDEEP:3:KVGl/lilKlRAGlK8f/kHyr6f+qIUrXt59dWkkqlpOJEPRaaVfP:KVy/4KDJsY8IOqJ9JEP82P
                            MD5:29F9C45CCA48299F08F9138AB94E69AD
                            SHA1:849D952CDD6BDF11826791850C0746454C420B7B
                            SHA-256:C352AE2063C039092CC0B4C9E248FAC749D835F2DCB7C5B8DB7C1099E7DCD1FE
                            SHA-512:8E75ADCCFC71427B7F28227427D51AF2C79D6BF24FDA94C19CE8E99AEBB5D2E39D567A688A3FCE18E11782EC44672DFAE0BB94203D4444CF9A6E341F7E6FA73B
                            Malicious:false
                            Reputation:low
                            Preview:.user..................................................j.o.n.e.s.....+v.....z.....N_...e.2.......P(C%..{.slN..p..\Xx38rk..G#O.......U.a(d#..}.aj....p....=.j
                            File type:Microsoft Word 2007+
                            Entropy (8bit):7.963690696843289
                            TrID:
                            • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                            • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                            • ZIP compressed archive (8000/1) 9.41%
                            File name:BL 248436935 CNTR MRKU9180226.docx.doc
                            File size:56'034 bytes
                            MD5:d4409205b193e0790bb72cd954812833
                            SHA1:a96d542ec49c29e5c71a620ee61343075e53b96c
                            SHA256:8ffa58fc07d41fd5d0b67467cfe731ca8d05de3a075ed9f7e22fcd31b3339d61
                            SHA512:60f5877e972415fee24b76e172412e3b7b416b667673459f0278bc4d15c1363474ed87e21b7e635648828db52f107c427f8b0dd7ed8a901686e92ac1bdee9e98
                            SSDEEP:768:mYqOqCBG0LSEbG2FVChvBQ78itcNjXxIqSSooFul1Yt9Nxk/EW7hwTP9VAnCA9EQ:mn7CfVChJucpXxpY1ubyZS38xuQ4NxQ
                            TLSH:B643F1799861481AE6CC43F9D1453A0EF631E7271EA330339F901F2DADF7AC9061266D
                            File Content Preview:PK.........UxZ+..0............[Content_Types].xmlUT....7.g.7.g.7.g.V.j.@.}/.....i..J)....c.h.....%.7v&......SL".../.bu.3s4hu.;[<A...Z,..(..`:.....o.GQ )o...j.......V...X0.c-Z..IJ.-8.U......)....Q..j..z.. u...J..b....Rg..S..+.:.9$#.......N...\.....vZ...O..
                            Icon Hash:35e1cc889a8a8599
                            Document Type:OpenXML
                            Number of OLE Files:1
                            Has Summary Info:
                            Application Name:
                            Encrypted Document:False
                            Contains Word Document Stream:True
                            Contains Workbook/Book Stream:False
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:False
                            Code Page:-535
                            Title:
                            Subject:
                            Author:91974
                            Keywords:
                            Template:Normal.dotm
                            Last Saved By:91974
                            Revion Number:2
                            Total Edit Time:1
                            Last Printed:2020-10-16 02:53:17
                            Create Time:2025-03-21T06:52:00Z
                            Last Saved Time:2025-03-21T06:53:00Z
                            Number of Pages:1
                            Number of Words:0
                            Number of Characters:0
                            Thumbnail:'H.&" WMFC @l! EMF@"8X?F, EMF+@xxF\PEMF+"@@$@0@?!@@!"!"!"!"!"!'%&%(6(%Ld(((!??%6)%Ld((!??%M6)M%LdM(MM(!??%g6)g%Ldg(gg(!??%}6)}%Ld}(}}(!??%6)%Ld((!??%6)%Ld((!??%6)%Ld((!??%(6%Ld((!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??'%Ld''!??%%6(%Ld''!??%6%Ld!??'%(&%6(%Ld'&!??%6%Ld!??'%(&%6(%Ld'&!??%'6'%Ld'''!??!bK!;$$==V(8X8h(h$$AA<C%'%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%(%""Rp[SOu#a#/#lu|0#aQlu%hhy`Qy/%hy%hy/y%hT yy{/yuyO/yyI/ y<I/-&Wa#/yu9y y%huy%hdv%'A>TT4GUUA&A4LP1TTReUUA&ARLP2TThzUUA&AgLh(}P3TTUUA&ALP4TTUUA&ALP5TTUUA&ALP6TTUUA&ALPATT^gUUA&A^LPB%%"!%'A>)Rp0wiSO_GB2312ua#/lu|0aQlu&hXy`Qpy/&h y&hy/ y&hD!yy{/ yuyO/ yx yI/ yl>I/-&W"a#/yu9 yy&huy&hdv%Rp Verdanayupy-&lu&&" WMFC @aQlu'hXy`Qpy/'h y'hy/ y'hD!yy{/ yuyO/ yx yI/ ydcaI/-&Wa#/yu9 yy'huy'hdv%RpTimes New Romanyupy-&lu+aQlu(hXy`Qpy/(h y(hy/ y(hD!yy{/ yuyO/ yx yI/ ycaI/-&Wa#/yu9 yy(huy(hdv%T,i{UUA&A,itL4 TEL: 0086-512-82558856 FAX: 0086-512-58268319Rp[SOyupya#/D!yluunaQlu)hXy`Qpy/)h y)hy/ y)hD!yy{/ yuyO/ yx yI/ yTeaI/-&Wa#/yu9 yy)huy)hdv%RpTimes New RomanyupyD!ylu)aQlugXy`Qpy/g ygy/ ygD!yy{/ yuyO/ yx yI/ ypI/-&Wa#/yu9 yyguygdv%%%%%%%%"!%)MT-#JUUA&A-#Ld_ln~v[8fgPlQS))))))))))))%%"!%)NgTReUUA&ARLxJIANGSU SOIPOI CO.,LTD%"!%)TLUUA&A,LL%%%%%%%%"!%)%%%%%%%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALPUS%Ld!??%%TUUA&ALp / DELIVERY ORDER%Ld!??%%%%"!%)%"!%'%(&%6%Ld!??%6%Ld!??%~6%Ld~~!??%~6%Ld~~!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??%(6%Ld((!??%(M6M%Ld(MM(M!??%(g6g%Ld(gg(g!??%(}6}%Ld(}}(}!??%(6%Ld((!??%(6%Ld((!??%(6%Ld((!??%%"!%))%"!%'%(&%6%Ld!??%6%Ld!??%("Q|P(x( F4(EMF+*@$??FEMF+@ &6WMFC@''',',',--((-@!(-)-@!(-MM)-@!(M-gg)-@!(g-}})-@!(}-)-@!(-)-@!(-)-@!(-(-@!(-((-@!(--@!--@!-@!'--(-@!'--@!--(-@!&--@!--(-@!&-''-@!',$#"! ---$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$---''??-'A>2412R22gh(}32425262A2^B-"System-'-'A>,)0??_GB2312- Verdana-Times New Roman-2i,t TEL: 0086-512-82558856 FAX: 0086-512-58268319??-Times New Roman--------'-,M)+2#-))))))))))))--'-,gN)(2RJIANGSU SOIPOI CO.,LTD-'-,)2,--------'-,)--------2-@!--2 -@!--2-@!--2 -@!--2-@!--!2 / DELIVERY ORDER-@!----'-,)-'-,---@!--@!-~-@!~-~-@!~-((-@!(--@!--@!-(-@!(-M(M-@!M(-g(g-@!g(-}(}-@!}(-(-@!(-(-@!(-(-@!(--'-,),)-'-,---@!--@!-'#A(
                            Creating Application:Microsoft Office Word
                            Security:0
                            Document Code Page:1252
                            Presentation Target Format:
                            Number of Lines:1
                            Number of Paragraphs:1
                            Number of Slides:0
                            Number of Pages with Notes:0
                            Number of Hidden Slides:0
                            Number of Sound/Video Clips:0
                            Thumbnail Scaling Desired:false
                            Company:Grizli777
                            Contains Dirty Links:false
                            Shared Document:false
                            Changed Hyperlinks:false
                            Application Version:12.0000
                            General
                            Stream Path:\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:20
                            Entropy:0.5689955935892812
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x3EPRINT
                            CLSID:
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Stream Size:36988
                            Entropy:3.2497681809626355
                            Base64 Encoded:False
                            Data ASCII:. . . . l . . . . . . . . . . . . . . . . . . . . . . . . . J [ . . ( W . . E M F . . . . | . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 20 00 00 00 0a 14 00 00 f1 13 00 00 00 00 00 00 00 00 00 00 4a 5b 00 00 28 57 00 00 20 45 4d 46 00 00 01 00 7c 90 00 00 6b 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                            General
                            Stream Path:\x3ObjInfo
                            CLSID:
                            File Type:data
                            Stream Size:6
                            Entropy:1.2516291673878228
                            Base64 Encoded:False
                            Data ASCII:. . . . . .
                            Data Raw:00 00 03 00 0d 00
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:560
                            Entropy:3.3879366798911743
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 8c 01 00 00 48 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 03 00 00 00 90 00 00 00 05 00 00 00 9c 00 00 00 06 00 00 00 a4 00 00 00 07 00 00 00 ac 00 00 00 08 00 00 00 b4 00 00 00 09 00 00 00
                            General
                            Stream Path:\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:24184
                            Entropy:3.1945226555165376
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . H ^ . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . 1 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . g . @ . . . . . . Q < . . @ . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 48 5e 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 04 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 08 00 00 00 a0 00 00 00 09 00 00 00 b0 00 00 00 12 00 00 00 bc 00 00 00 0b 00 00 00 d4 00 00 00 0c 00 00 00 e0 00 00 00 0d 00 00 00 ec 00 00 00
                            General
                            Stream Path:Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:17006
                            Entropy:4.28640454300865
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . Z T 0 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . .
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 80 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Download Network PCAP: filteredfull

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-25T07:30:37.171113+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449718162.19.137.157443TCP
                            2025-03-25T07:30:38.254723+01001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.449719162.19.137.157443TCP
                            2025-03-25T07:30:38.726735+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449720162.19.137.157443TCP
                            2025-03-25T07:30:39.469261+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449723162.19.137.157443TCP
                            • Total Packets: 59
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 07:30:36.801523924 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:36.801570892 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:36.801698923 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:36.802357912 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:36.802372932 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.171044111 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.171113014 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.174312115 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.174324036 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.174565077 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.176317930 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.220376015 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.521262884 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.521338940 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.521511078 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.524086952 CET49718443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.524147034 CET44349718162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.540579081 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.540626049 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.540712118 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.541263103 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.541275024 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.899051905 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.899209976 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.909440994 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.909492970 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.909823895 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:37.909888029 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.911003113 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:37.956324100 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.254750013 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.254821062 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.254914045 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.270998955 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.270999908 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.271055937 CET44349719162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.274424076 CET49719443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.363456011 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.363583088 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.363815069 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.364021063 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.364058018 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.726196051 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.726735115 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.726793051 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:38.727637053 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:38.727650881 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.099966049 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.100038052 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.100178003 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.100266933 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.100320101 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.100320101 CET49720443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.100346088 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.100366116 CET44349720162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.101895094 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.101932049 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.102315903 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.102686882 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.102699041 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.468676090 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.469260931 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.469270945 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.477427959 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.477435112 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.829046965 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.829118013 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.829188108 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.831332922 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.831332922 CET49723443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.831352949 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.831362009 CET44349723162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.883915901 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.883963108 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:39.884027958 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.885628939 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:39.885654926 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.244275093 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.244374037 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.244901896 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.244919062 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.246750116 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.246772051 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.622283936 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.622337103 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.622358084 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.622380972 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.622419119 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.622419119 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.635885954 CET49727443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.635910988 CET44349727162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.637770891 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.637804985 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:40.637969017 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.661346912 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:40.661367893 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.024202108 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.024315119 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.024707079 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.024713993 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.025064945 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.025068998 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381094933 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381155968 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381174088 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.381210089 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381225109 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.381258965 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.381267071 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381311893 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.381367922 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.382579088 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.382594109 CET44349728162.19.137.157192.168.2.4
                            Mar 25, 2025 07:30:41.382602930 CET49728443192.168.2.4162.19.137.157
                            Mar 25, 2025 07:30:41.383328915 CET49728443192.168.2.4162.19.137.157
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 07:30:36.655877113 CET6003353192.168.2.41.1.1.1
                            Mar 25, 2025 07:30:36.800323963 CET53600331.1.1.1192.168.2.4
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 25, 2025 07:30:36.655877113 CET192.168.2.41.1.1.10x3450Standard query (0)t.emobility.energyA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 25, 2025 07:30:31.891232014 CET1.1.1.1192.168.2.40x5b25No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 07:30:31.891232014 CET1.1.1.1192.168.2.40x5b25No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 07:30:31.891232014 CET1.1.1.1192.168.2.40x5b25No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 07:30:36.800323963 CET1.1.1.1192.168.2.40x3450No error (0)t.emobility.energyhost1.emobility.energyCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 07:30:36.800323963 CET1.1.1.1192.168.2.40x3450No error (0)host1.emobility.energy162.19.137.157A (IP address)IN (0x0001)false
                            • t.emobility.energy
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449718162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:37 UTC331OUTOPTIONS / HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-MSGETWEBURL: t
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 06:30:37 UTC550INHTTP/1.1 200 OK
                            Date: Tue, 25 Mar 2025 06:30:37 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            Allow: GET,HEAD
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 8
                            ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close
                            2025-03-25 06:30:37 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                            Data Ascii: GET,HEAD


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.449719162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:37 UTC234OUTOPTIONS / HTTP/1.1
                            Authorization: Bearer
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            X-IDCRL_ACCEPTED: t
                            User-Agent: Microsoft Office Protocol Discovery
                            Host: t.emobility.energy
                            Content-Length: 0
                            Connection: Keep-Alive
                            2025-03-25 06:30:38 UTC550INHTTP/1.1 200 OK
                            Date: Tue, 25 Mar 2025 06:30:38 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            Allow: GET,HEAD
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 8
                            ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close
                            2025-03-25 06:30:38 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                            Data Ascii: GET,HEAD


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.449720162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:38 UTC331OUTHEAD /NHVI4G?&squid=roasted HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 06:30:39 UTC539INHTTP/1.1 301 Moved Permanently
                            Date: Tue, 25 Mar 2025 06:30:39 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            Location: /404
                            Vary: Accept
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 38
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.449723162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:39 UTC313OUTHEAD /404 HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 06:30:39 UTC590INHTTP/1.1 404 Not Found
                            Date: Tue, 25 Mar 2025 06:30:39 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            X-Powered-By: Next.js
                            ETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 4645
                            Vary: Accept-Encoding
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.449727162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:40 UTC196OUTGET /NHVI4G?&squid=roasted HTTP/1.1
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                            Accept-Encoding: gzip, deflate
                            Host: t.emobility.energy
                            Connection: Keep-Alive
                            2025-03-25 06:30:40 UTC539INHTTP/1.1 301 Moved Permanently
                            Date: Tue, 25 Mar 2025 06:30:40 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            Location: /404
                            Vary: Accept
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 38
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close
                            2025-03-25 06:30:40 UTC38INData Raw: 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f 34 30 34
                            Data Ascii: Moved Permanently. Redirecting to /404


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.449728162.19.137.1574437848C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 06:30:41 UTC178OUTGET /404 HTTP/1.1
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                            Accept-Encoding: gzip, deflate
                            Host: t.emobility.energy
                            Connection: Keep-Alive
                            2025-03-25 06:30:41 UTC590INHTTP/1.1 404 Not Found
                            Date: Tue, 25 Mar 2025 06:30:41 GMT
                            Server: Apache/2.4.62 (Debian)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            X-Powered-By: Next.js
                            ETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 4645
                            Vary: Accept-Encoding
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                            Connection: close
                            2025-03-25 06:30:41 UTC4645INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 53 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 75 6e 64 65 66 69 6e 65 64 20 69 73 20 61 20 66 72 65 65 20 61 6e 64 20 6f 70 65 6e 20 73 6f 75 72 63 65 20 55 52 4c 20 73 68 6f 72 74 65 6e 65 72 20 77 69 74 68 20 63 75 73 74 6f 6d 20 64 6f 6d 61 69 6e 73 20 61 6e
                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/><meta name="description" content="undefined is a free and open source URL shortener with custom domains an


                            050100s020406080100

                            Click to jump to process

                            050100s0.0050100150MB

                            Click to jump to process

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:02:30:26
                            Start date:25/03/2025
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                            Imagebase:0x780000
                            File size:1'620'872 bytes
                            MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            No disassembly