Edit tour

Windows Analysis Report
Untitled_20250325.docx.doc

Overview

General Information

Sample name:Untitled_20250325.docx.doc
Analysis ID:1647950
MD5:e00b2ef0073a6021cc012dcf5d5ad70c
SHA1:c3dd54e43063122bcb849736ce7fe26ea27344cc
SHA256:f7821649e3f5fdb5cccba8f154ef19d8c59f46ca980059cf20a1d79b2f541bad
Tags:docuser-TeamDreier
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Contains an external reference to another file
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • WINWORD.EXE (PID: 7688 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • appidpolicyconverter.exe (PID: 7764 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)
    • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.25, DestinationIsIpv6: false, DestinationPort: 49691, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 162.19.137.157, SourceIsIpv6: false, SourcePort: 443
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T12:53:13.774752+010018100041Potentially Bad Traffic192.168.2.2549696162.19.137.157443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T12:53:12.240276+010018100051Potentially Bad Traffic192.168.2.2549692162.19.137.157443TCP

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.25:49691 version: TLS 1.2
Source: global trafficDNS query: name: t.emobility.energy
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49691 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49691
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49692
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49692 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49694 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49694
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.25:49696
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.25:49696 -> 162.19.137.157:443
Source: winword.exeMemory has grown: Private usage: 4MB later: 75MB

Networking

barindex
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.25:49692 -> 162.19.137.157:443
Source: Network trafficSuricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.25:49696 -> 162.19.137.157:443
Source: Joe Sandbox ViewIP Address: 162.19.137.157 162.19.137.157
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /JpXyeF?&achiever HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /JpXyeF?&achiever HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: t.emobility.energy
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:53:11 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:53:12 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:53:12 GMTServer: Apache/2.4.62 (Debian)Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 25 Mar 2025 11:53:13 GMTServer: Apache/2.4.62 (Debian)Content-Length: 384Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownHTTPS traffic detected: 162.19.137.157:443 -> 192.168.2.25:49691 version: TLS 1.2
Source: classification engineClassification label: mal52.evad.winDOC@4/2@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$titled_20250325.docx.docJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\appidpolicyconverter.exeMutant created: PolicyMutex
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{B30B2BDF-8452-4AF6-9904-C6AD78806480} - OProcSessId.datJump to behavior
Source: Untitled_20250325.docx.docOLE indicator, Word Document stream: true
Source: Untitled_20250325.docx.docOLE document summary: title field not present or empty
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: gpapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/media/image2.emf
Source: Untitled_20250325.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: Untitled_20250325.docx.docInitial sample: OLE summary lastprinted = 2020-10-16 02:53:17
Source: Untitled_20250325.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: https://t.emobility.energy/jpxyef?&achiever
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Exploitation for Client Execution
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection
1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection
LSA Secrets3
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647950 Sample: Untitled_20250325.docx.doc Startdate: 25/03/2025 Architecture: WINDOWS Score: 52 14 t.emobility.energy 2->14 16 res-stls-prod.edgesuite.net.globalredir.akadns88.net 2->16 18 2 other IPs or domains 2->18 22 Suricata IDS alerts for network traffic 2->22 24 Contains an external reference to another file 2->24 7 WINWORD.EXE 504 115 2->7         started        10 appidpolicyconverter.exe 1 2->10         started        signatures3 process4 dnsIp5 20 host1.emobility.energy 162.19.137.157, 443, 49691, 49692 CENTURYLINK-US-LEGACY-QWESTUS United States 7->20 12 conhost.exe 10->12         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Untitled_20250325.docx.doc11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://t.emobility.energy/JpXyeF?&achiever0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
host1.emobility.energy
162.19.137.157
truefalse
    high
    a726.dscd.akamai.net
    23.57.90.76
    truefalse
      high
      s-0005.dual-s-msedge.net
      52.123.129.14
      truefalse
        high
        t.emobility.energy
        unknown
        unknownfalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://t.emobility.energy/JpXyeF?&achievertrue
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          162.19.137.157
          host1.emobility.energyUnited States
          209CENTURYLINK-US-LEGACY-QWESTUSfalse
          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1647950
          Start date and time:2025-03-25 12:51:47 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 57s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
          Run name:Potential for more IOCs and behavior
          Number of analysed new started processes analysed:23
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Untitled_20250325.docx.doc
          Detection:MAL
          Classification:mal52.evad.winDOC@4/2@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .doc
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, conhost.exe, appidcertstorecheck.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.109.16.52, 20.189.173.1, 52.111.251.18, 52.111.251.19, 52.111.251.17, 52.111.251.16, 23.219.82.136, 23.219.82.208, 52.109.6.63, 172.202.163.200, 184.31.69.3, 52.123.129.14, 40.126.24.83, 23.57.90.76, 23.57.90.77
          • Excluded domains from analysis (whitelisted): onedscolprdwus00.westus.cloudapp.azure.com, us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, cus-config.officeapps.live.com, res-1.cdn.office.net, eus2-azsc-000.roaming.officeapps.live.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, mobile.events.data.microsoft.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, ncus-000.odc.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, osiprod-ncus-bronze-public-000.northcentralus.cloudapp.azure.com, c.pki.goog, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, uci.cdn.office.net, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, res-stls-prod.edgesuite.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtCreateFile calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Report size getting too big, too many NtSetValueKey calls found.
          No simulations
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          162.19.137.157PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                  PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                          CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a726.dscd.akamai.netSales Contract_1.docxGet hashmaliciousUnknownBrowse
                            • 23.57.90.80
                            https://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
                            • 23.44.133.49
                            FILLING SUMMON DOCUMENT.docxGet hashmaliciousHTMLPhisherBrowse
                            • 2.16.168.122
                            New Order.docxGet hashmaliciousUnknownBrowse
                            • 23.219.36.134
                            Ordersheet_NanshaGA-012.docxGet hashmaliciousUnknownBrowse
                            • 23.219.36.134
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 23.219.36.135
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 23.219.36.135
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 23.219.36.135
                            original (2).emlGet hashmaliciousUnknownBrowse
                            • 23.200.0.200
                            memebers.docGet hashmaliciousUnknownBrowse
                            • 23.40.179.68
                            s-0005.dual-s-msedge.netSales Contract_1.docxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            quotation_1.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            Sales Contract_1.docxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            https://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            FILLING SUMMON DOCUMENT.docxGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.128.14
                            Legal_Notice_Presentation.pptxGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.129.14
                            CMR%20ReF%2015200477813.docxGet hashmaliciousUnknownBrowse
                            • 52.123.129.14
                            PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.128.14
                            host1.emobility.energyPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CENTURYLINK-US-LEGACY-QWESTUSPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            https://tinyurl.com/SA-RecyclingGet hashmaliciousUnknownBrowse
                            • 162.19.138.82
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            258a5a1e95b8a911872bae9081526644PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            PURCHASE ORDER - PO#267759.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            Quotation.xlsGet hashmaliciousUnknownBrowse
                            • 162.19.137.157
                            No context
                            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):1772
                            Entropy (8bit):2.6943123162171814
                            Encrypted:false
                            SSDEEP:48:m8/WKGKLszdpep4Tk4MfbEtK0Ia5A6gp35kyTzl:lQzdrj4q+62F
                            MD5:F7439E565BE8422A2B0784CD8BD956F0
                            SHA1:13BC806519C62C32BD484C04627C6D4AD3DF8B9C
                            SHA-256:C6DFCFE6FACA0F6811D84549C8DC9ADBA33023FE9319F9A3830CB72E6176158B
                            SHA-512:1A17C47B952A695AF857E74F2DBCC7E5B5119AFB7352B761AAE53330769BD935F93D8A1EB69D48191442218798C97509E2DF2D5171EC92F88753B92C2D60AB7C
                            Malicious:false
                            Reputation:low
                            Preview:1.0.7.,.3.7.4.6.3.7.6.,.1.2.3.,.7.7.8.7.0.2.2.2.4.,.6.3.6.4.3.3.4.,.1.4.6.1.9.5.4.,.2.6.0.1.,.1.1.9.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.3.7.4.6.2.5.9.,.1.1.9.6.3.7.8.,.3.7.4.6.3.6.8.,.4.2.1.4.2.1.7.,.6.3.6.4.3.3.1.,.1.2.5.,.1.5.6.1.9.5.5.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.3.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.5.,.7.7.8.7.0.2.2.3.4.,.1.2.2.3.4.3.4.,.5.2.1.6.4.2.,.1.2.8.,.1.2.2.0.7.7.9.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.6.3.6.4.3.3.2.,.1.4.6.1.9.5.5.,.1.0.0.,.1.0.1.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.4.,.6.5.4.2.1.8.5.1.,.1.2.6.,.;.1.0.3.4.5.0.2.0.,.3.,.1.0.6.9.5.5.3.,.6.5.4.0.2.1.5.,.3.2.9.4.5.8.7.9.9.,.1.2.7.,.1.6.5.7.4.5.2.,.7.4.5.3.4.5.9.,.2.3.7.1.6.5.1.,.1.6.5.7.4.5.3.,.3.0.1.2.3.4.6.6.,.3.1.4.1.5.9.1.5.,.3.0.1.5.3.7.2.1.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.6.3.7.1.6.9.4.,.1.0.3.4.5.0.2.1.,.1.0.6.9.5.3.3.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.2.6.4.8.5.7.8.4.,.6.1.7.0.7.3.0.7.,.2.5.4.8.7.8.5.4.,.6.7.
                            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):2.856801871596053
                            Encrypted:false
                            SSDEEP:3:M//PlyFXlRmO7l/llRlll/VvElQZoxY:s/PK1Gu
                            MD5:278D81CD4E56D62AB075CB39AEBB7F64
                            SHA1:194CBC70346484041FBA0716EEF02E8C862DA2FE
                            SHA-256:38A1098BD8E9F3D0EF29EDDF14212F25C216188B0C6082DE9DF2DF4E0FFFB0AA
                            SHA-512:DA57C8D6203A59B0B136672A9B06130EEC6897A27B30C6AC12727D74CEE9DFC5F25A96AD7D8B020A08AD01D04B46477C020F536573B2E1F2F1233C7BEFFDCD76
                            Malicious:false
                            Reputation:low
                            Preview:.user..................................................M.e.r.c.y.....p&Z.r....7.......7......................................X.|w|.....c.a....X.z|...........6..&
                            File type:Microsoft Word 2007+
                            Entropy (8bit):7.9642952408861385
                            TrID:
                            • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                            • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                            • ZIP compressed archive (8000/1) 9.41%
                            File name:Untitled_20250325.docx.doc
                            File size:56'028 bytes
                            MD5:e00b2ef0073a6021cc012dcf5d5ad70c
                            SHA1:c3dd54e43063122bcb849736ce7fe26ea27344cc
                            SHA256:f7821649e3f5fdb5cccba8f154ef19d8c59f46ca980059cf20a1d79b2f541bad
                            SHA512:701026b070af6ec9a38fc0dd3ba6a0005938e9882c2d25a4b64c4726da669ff8fc1deb488c88a8c245b40bcefde79966b3c87118443e99e2f7e53f3a57ba4e1a
                            SSDEEP:768:gOkYQoBauvMybG2FVChvBC78itcNjhxIqSSooFEl1Yt9Nxk/EW7hwTP9VAnCA9EQ:gvTolVChJIcphxpS1ubyZS38xu2apxs
                            TLSH:EB43E06BDC514C0BEB0C07F9FB85391EB670F7A3125321235E103D6E8EAA5CD4626E69
                            File Content Preview:PK........RLyZ+..0............[Content_Types].xmlUT....x.g.x.g.x.g.V.j.@.}/.....i..J)....c.h.....%.7v&......SL".../.bu.3s4hu.;[<A...Z,..(..`:.....o.GQ )o...j.......V...X0.c-Z..IJ.-8.U......)....Q..j..z.. u...J..b....Rg..S..+.:.9$#.......N...\.....vZ...O..
                            Icon Hash:35e1cc889a8a8599
                            Document Type:OpenXML
                            Number of OLE Files:1
                            Has Summary Info:
                            Application Name:
                            Encrypted Document:False
                            Contains Word Document Stream:True
                            Contains Workbook/Book Stream:False
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:False
                            Code Page:-535
                            Title:
                            Subject:
                            Author:91974
                            Keywords:
                            Template:Normal.dotm
                            Last Saved By:91974
                            Revion Number:2
                            Total Edit Time:1
                            Last Printed:2020-10-16 02:53:17
                            Create Time:2025-03-21T06:52:00Z
                            Last Saved Time:2025-03-21T06:53:00Z
                            Number of Pages:1
                            Number of Words:0
                            Number of Characters:0
                            Thumbnail:'H.&" WMFC @l! EMF@"8X?F, EMF+@xxF\PEMF+"@@$@0@?!@@!"!"!"!"!"!'%&%(6(%Ld(((!??%6)%Ld((!??%M6)M%LdM(MM(!??%g6)g%Ldg(gg(!??%}6)}%Ld}(}}(!??%6)%Ld((!??%6)%Ld((!??%6)%Ld((!??%(6%Ld((!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??'%Ld''!??%%6(%Ld''!??%6%Ld!??'%(&%6(%Ld'&!??%6%Ld!??'%(&%6(%Ld'&!??%'6'%Ld'''!??!bK!;$$==V(8X8h(h$$AA<C%'%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%('%%V0#$$%%(%""Rp[SOu#a#/#lu|0#aQlu%hhy`Qy/%hy%hy/y%hT yy{/yuyO/yyI/ y<I/-&Wa#/yu9y y%huy%hdv%'A>TT4GUUA&A4LP1TTReUUA&ARLP2TThzUUA&AgLh(}P3TTUUA&ALP4TTUUA&ALP5TTUUA&ALP6TTUUA&ALPATT^gUUA&A^LPB%%"!%'A>)Rp0wiSO_GB2312ua#/lu|0aQlu&hXy`Qpy/&h y&hy/ y&hD!yy{/ yuyO/ yx yI/ yl>I/-&W"a#/yu9 yy&huy&hdv%Rp Verdanayupy-&lu&&" WMFC @aQlu'hXy`Qpy/'h y'hy/ y'hD!yy{/ yuyO/ yx yI/ ydcaI/-&Wa#/yu9 yy'huy'hdv%RpTimes New Romanyupy-&lu+aQlu(hXy`Qpy/(h y(hy/ y(hD!yy{/ yuyO/ yx yI/ ycaI/-&Wa#/yu9 yy(huy(hdv%T,i{UUA&A,itL4 TEL: 0086-512-82558856 FAX: 0086-512-58268319Rp[SOyupya#/D!yluunaQlu)hXy`Qpy/)h y)hy/ y)hD!yy{/ yuyO/ yx yI/ yTeaI/-&Wa#/yu9 yy)huy)hdv%RpTimes New RomanyupyD!ylu)aQlugXy`Qpy/g ygy/ ygD!yy{/ yuyO/ yx yI/ ypI/-&Wa#/yu9 yyguygdv%%%%%%%%"!%)MT-#JUUA&A-#Ld_ln~v[8fgPlQS))))))))))))%%"!%)NgTReUUA&ARLxJIANGSU SOIPOI CO.,LTD%"!%)TLUUA&A,LL%%%%%%%%"!%)%%%%%%%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALP'%Ld!??%%TTUUA&ALP %Ld!??%%TTUUA&ALPUS%Ld!??%%TUUA&ALp / DELIVERY ORDER%Ld!??%%%%"!%)%"!%'%(&%6%Ld!??%6%Ld!??%~6%Ld~~!??%~6%Ld~~!??%(6(%Ld(((!??%6%Ld!??%6%Ld!??%(6%Ld((!??%(M6M%Ld(MM(M!??%(g6g%Ld(gg(g!??%(}6}%Ld(}}(}!??%(6%Ld((!??%(6%Ld((!??%(6%Ld((!??%%"!%))%"!%'%(&%6%Ld!??%6%Ld!??%("Q|P(x( F4(EMF+*@$??FEMF+@ &6WMFC@''',',',--((-@!(-)-@!(-MM)-@!(M-gg)-@!(g-}})-@!(}-)-@!(-)-@!(-)-@!(-(-@!(-((-@!(--@!--@!-@!'--(-@!'--@!--(-@!&--@!--(-@!&-''-@!',$#"! ---$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$----$$$---''??-'A>2412R22gh(}32425262A2^B-"System-'-'A>,)0??_GB2312- Verdana-Times New Roman-2i,t TEL: 0086-512-82558856 FAX: 0086-512-58268319??-Times New Roman--------'-,M)+2#-))))))))))))--'-,gN)(2RJIANGSU SOIPOI CO.,LTD-'-,)2,--------'-,)--------2-@!--2 -@!--2-@!--2 -@!--2-@!--!2 / DELIVERY ORDER-@!----'-,)-'-,---@!--@!-~-@!~-~-@!~-((-@!(--@!--@!-(-@!(-M(M-@!M(-g(g-@!g(-}(}-@!}(-(-@!(-(-@!(-(-@!(--'-,),)-'-,---@!--@!-'#A(
                            Creating Application:Microsoft Office Word
                            Security:0
                            Document Code Page:1252
                            Presentation Target Format:
                            Number of Lines:1
                            Number of Paragraphs:1
                            Number of Slides:0
                            Number of Pages with Notes:0
                            Number of Hidden Slides:0
                            Number of Sound/Video Clips:0
                            Thumbnail Scaling Desired:false
                            Company:Grizli777
                            Contains Dirty Links:false
                            Shared Document:false
                            Changed Hyperlinks:false
                            Application Version:12.0000
                            General
                            Stream Path:\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:20
                            Entropy:0.5689955935892812
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            General
                            Stream Path:\x3EPRINT
                            CLSID:
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Stream Size:36988
                            Entropy:3.2497681809626355
                            Base64 Encoded:False
                            Data ASCII:. . . . l . . . . . . . . . . . . . . . . . . . . . . . . . J [ . . ( W . . E M F . . . . | . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ K . . h C . . F . . . , . . . . . . E M F + . @ . . . . . . . . . . . . . . . . X . . . X . . . F . . . \\ . . . P . . . E M F + " @ . . . . . . . . . . . @ . . . . . . . . . . $ @ . . . . . . . . . . 0 @ . . . . . . . . . . . . ? ! @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 20 00 00 00 0a 14 00 00 f1 13 00 00 00 00 00 00 00 00 00 00 4a 5b 00 00 28 57 00 00 20 45 4d 46 00 00 01 00 7c 90 00 00 6b 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 13 00 00 c8 19 00 00 d8 00 00 00 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 4b 03 00 68 43 04 00 46 00 00 00 2c 00 00 00 20 00 00 00 45 4d 46 2b 01 40 01 00
                            General
                            Stream Path:\x3ObjInfo
                            CLSID:
                            File Type:data
                            Stream Size:6
                            Entropy:1.2516291673878228
                            Base64 Encoded:False
                            Data ASCII:. . . . . .
                            Data Raw:00 00 03 00 0d 00
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:560
                            Entropy:3.3879366798911743
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 8c 01 00 00 48 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 03 00 00 00 90 00 00 00 05 00 00 00 9c 00 00 00 06 00 00 00 a4 00 00 00 07 00 00 00 ac 00 00 00 08 00 00 00 b4 00 00 00 09 00 00 00
                            General
                            Stream Path:\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:24184
                            Entropy:3.1945226555165376
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . H ^ . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . 1 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . g . @ . . . . . . Q < . . @ . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 48 5e 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 04 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 08 00 00 00 a0 00 00 00 09 00 00 00 b0 00 00 00 12 00 00 00 bc 00 00 00 0b 00 00 00 d4 00 00 00 0c 00 00 00 e0 00 00 00 0d 00 00 00 ec 00 00 00
                            General
                            Stream Path:Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:17006
                            Entropy:4.28640454300865
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . Z T 0 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . .
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 80 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Download Network PCAP: filteredfull

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-25T12:53:12.240276+01001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.2549692162.19.137.157443TCP
                            2025-03-25T12:53:13.774752+01001810004Joe Security ANOMALY Microsoft Office HTTP activity1192.168.2.2549696162.19.137.157443TCP
                            • Total Packets: 46
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 12:53:10.790642977 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:10.790700912 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:10.790777922 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:10.791299105 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:10.791315079 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.157928944 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.158006907 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.160424948 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.160437107 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.160773039 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.161670923 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.204287052 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.508074045 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.508171082 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.508228064 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.508722067 CET49691443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.508744955 CET44349691162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.520229101 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.520261049 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.520390034 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.521861076 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.521873951 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.884401083 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.884457111 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.887871981 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.887882948 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.888952971 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.888999939 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.892196894 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.892266989 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.892314911 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.892322063 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:11.892421961 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.896101952 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:11.940260887 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.240295887 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.240395069 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.240428925 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.240472078 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.245337009 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.245358944 CET44349692162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.245369911 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.245445013 CET49692443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.274461985 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.274513006 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.275648117 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.275648117 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.275679111 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.640322924 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.657320023 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.657337904 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.658360958 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.658366919 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.995647907 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.995724916 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.995794058 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.995817900 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.995841980 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.995841980 CET49694443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:12.995855093 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:12.995862007 CET44349694162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.052345991 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.052385092 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.052454948 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.053824902 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.053836107 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.416546106 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.416614056 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.418437958 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.418450117 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.418823004 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.418876886 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.420057058 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.420120001 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.420248032 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.420317888 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.464272022 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.774760962 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.774847031 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.774857998 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.775079012 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.775782108 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.775805950 CET44349696162.19.137.157192.168.2.25
                            Mar 25, 2025 12:53:13.775820017 CET49696443192.168.2.25162.19.137.157
                            Mar 25, 2025 12:53:13.775927067 CET49696443192.168.2.25162.19.137.157
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 25, 2025 12:53:10.633001089 CET5658853192.168.2.251.1.1.1
                            Mar 25, 2025 12:53:10.789458036 CET53565881.1.1.1192.168.2.25
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 25, 2025 12:53:10.633001089 CET192.168.2.251.1.1.10xc39eStandard query (0)t.emobility.energyA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 25, 2025 12:53:08.344408989 CET1.1.1.1192.168.2.250x1eefNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:53:08.344408989 CET1.1.1.1192.168.2.250x1eefNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:08.344408989 CET1.1.1.1192.168.2.250x1eefNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:10.789458036 CET1.1.1.1192.168.2.250xc39eNo error (0)t.emobility.energyhost1.emobility.energyCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:53:10.789458036 CET1.1.1.1192.168.2.250xc39eNo error (0)host1.emobility.energy162.19.137.157A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)a726.dscd.akamai.net23.57.90.76A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)a726.dscd.akamai.net23.57.90.77A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)a726.dscd.akamai.net23.57.90.70A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)a726.dscd.akamai.net23.57.90.71A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:15.001075983 CET1.1.1.1192.168.2.250x2086No error (0)a726.dscd.akamai.net23.57.90.74A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:23.367328882 CET1.1.1.1192.168.2.250xd44eNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:53:23.367328882 CET1.1.1.1192.168.2.250xd44eNo error (0)a726.dscd.akamai.net23.57.90.77A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:23.367328882 CET1.1.1.1192.168.2.250xd44eNo error (0)a726.dscd.akamai.net23.57.90.69A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:23.367328882 CET1.1.1.1192.168.2.250xd44eNo error (0)a726.dscd.akamai.net23.57.90.80A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:24.426279068 CET1.1.1.1192.168.2.250x46ccNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                            Mar 25, 2025 12:53:24.426279068 CET1.1.1.1192.168.2.250x46ccNo error (0)a726.dscd.akamai.net23.57.90.77A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:24.426279068 CET1.1.1.1192.168.2.250x46ccNo error (0)a726.dscd.akamai.net23.57.90.69A (IP address)IN (0x0001)false
                            Mar 25, 2025 12:53:24.426279068 CET1.1.1.1192.168.2.250x46ccNo error (0)a726.dscd.akamai.net23.57.90.80A (IP address)IN (0x0001)false
                            • t.emobility.energy
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.2549691162.19.137.1574437688C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:53:11 UTC331OUTOPTIONS / HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-MSGETWEBURL: t
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 11:53:11 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:53:11 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:53:11 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.2549692162.19.137.1574437688C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:53:11 UTC234OUTOPTIONS / HTTP/1.1
                            Authorization: Bearer
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            X-IDCRL_ACCEPTED: t
                            User-Agent: Microsoft Office Protocol Discovery
                            Host: t.emobility.energy
                            Content-Length: 0
                            Connection: Keep-Alive
                            2025-03-25 11:53:12 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:53:12 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:53:12 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.2549694162.19.137.1574437688C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:53:12 UTC326OUTHEAD /JpXyeF?&achiever HTTP/1.1
                            Connection: Keep-Alive
                            Authorization: Bearer
                            User-Agent: Microsoft Office Word 2014
                            X-Office-Major-Version: 16
                            X-MS-CookieUri-Requested: t
                            X-FeatureVersion: 1
                            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                            X-IDCRL_ACCEPTED: t
                            Host: t.emobility.energy
                            2025-03-25 11:53:12 UTC169INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:53:12 GMT
                            Server: Apache/2.4.62 (Debian)
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.2549696162.19.137.1574437688C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            2025-03-25 11:53:13 UTC206OUTGET /JpXyeF?&achiever HTTP/1.1
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                            UA-CPU: AMD64
                            Accept-Encoding: gzip, deflate
                            Host: t.emobility.energy
                            Connection: Keep-Alive
                            2025-03-25 11:53:13 UTC190INHTTP/1.1 503 Service Unavailable
                            Date: Tue, 25 Mar 2025 11:53:13 GMT
                            Server: Apache/2.4.62 (Debian)
                            Content-Length: 384
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-25 11:53:13 UTC384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems.


                            Click to jump to process

                            050100s0.0050100150200MB

                            Click to jump to process

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:07:53:04
                            Start date:25/03/2025
                            Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                            Imagebase:0x7ff612a50000
                            File size:1'637'952 bytes
                            MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Target ID:1
                            Start time:07:53:04
                            Start date:25/03/2025
                            Path:C:\Windows\System32\appidpolicyconverter.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\appidpolicyconverter.exe"
                            Imagebase:0x7ff7e2b50000
                            File size:155'648 bytes
                            MD5 hash:6567D9CF2545FAAC60974D9D682700D4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            Target ID:2
                            Start time:07:53:04
                            Start date:25/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff729690000
                            File size:1'040'384 bytes
                            MD5 hash:9698384842DA735D80D278A427A229AB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            No disassembly