Loading ...

Play interactive tourEdit tour

Analysis Report contract.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188616
Start date:08.11.2019
Start time:17:56:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 15m 50s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:contract.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.expl.winDOC@1/19@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe, TiWorker.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, TrustedInstaller.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.88.8, 52.109.88.36, 52.114.132.23, 13.107.4.50, 93.184.221.240, 52.109.76.34, 52.109.124.21, 52.109.12.22, 52.109.88.40, 92.122.213.201, 92.122.213.217, 67.27.233.254, 67.26.137.254, 8.253.204.121, 67.27.234.126, 8.248.131.254, 93.184.220.29, 40.113.90.31, 52.158.208.111, 67.26.73.254, 8.248.123.254, 8.253.204.120, 52.109.120.22, 52.109.124.23, 92.123.23.239
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fg.download.windowsupdate.com.c.footprint.net, client-office365-tas.msedge.net, prod-w.nexus.live.com.akadns.net, cs9.wac.phicdn.net, 2-01-3cf7-0009.cdx.cedexis.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, a767.dspw65.akamai.net, e15275.g.akamaiedge.net, wu.azureedge.net, prd.col.aria.mobile.skypedata.akadns.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, cloudtile.photos.microsoft.com, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, afdo-tas-offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, s-0001.s-msedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, download.windowsupdate.com, prod.nexusrules.live.com.akadns.net, download.windowsupdate.com.edgesuite.net, au.au-msedge.net, users.photos.microsoft.com.akadns.net, pipe.skype.com, config.officeapps.live.com, au.c-0001.c-msedge.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting32Winlogon Helper DLLProcess Injection1Process Injection1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaExploitation for Client Execution23Port MonitorsAccessibility FeaturesScripting32Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: contract.docAvira: detection malicious, Label: VBS/Drop.Agent.krmmw
Source: contract.docJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllVirustotal: Detection: 27%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: contract.docVirustotal: Detection: 23%Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: scheduler_a.dll.0.drJump to dropped file
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: microsoft-hub-us.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49767 -> 195.123.246.12:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49767 -> 195.123.246.12:443

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 195.123.246.12 195.123.246.12
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Found strings which match to known social media urlsShow sources
Source: WINWORD.EXE, 00000000.00000002.6705702400.000000000D49E000.00000004.00000001.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: LinkedIn equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.6694840608.00000000016FF000.00000004.00000020.sdmpString found in binary or memory: api/v1/linkedin/associations equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.6705702400.000000000D49E000.00000004.00000001.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: WINWORD.EXE, 00000000.00000002.6705702400.000000000D49E000.00000004.00000001.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: microsoft-hub-us.com
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.6709753713.000000000E39B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: WINWORD.EXE, 00000000.00000002.6710058539.000000000E423000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: WINWORD.EXE, 00000000.00000002.6710058539.000000000E423000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: WINWORD.EXE, 00000000.00000002.6709753713.000000000E39B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: WINWORD.EXE, 00000000.00000002.6709753713.000000000E39B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: WINWORD.EXE, 00000000.00000002.6710108555.000000000E44A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: WINWORD.EXE, 00000000.00000002.6709753713.000000000E39B000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: WINWORD.EXE, 00000000.00000002.6710108555.000000000E44A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: WINWORD.EXE, 00000000.00000002.6710058539.000000000E423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: WINWORD.EXE, 00000000.00000002.6710108555.000000000E44A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705652077.000000000D481000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesy&W
Source: WINWORD.EXE, 00000000.00000002.6705406262.000000000D3DD000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: WINWORD.EXE, 00000000.00000002.6705406262.000000000D3DD000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablep7B
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mic
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micro
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micros
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microso
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft
Source: WINWORD.EXE, 00000000.00000002.6707468377.000000000DD30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
Source: WINWORD.EXE, 00000000.00000003.4616525320.000000000E499000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000003.4613657369.0000000018BB2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: WINWORD.EXE, 00000000.00000003.4616525320.000000000E499000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxote
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WINWORD.EXE, 00000000.00000003.4578537109.0000000012344000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: WINWORD.EXE, 00000000.00000003.4577900963.0000000012344000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
Source: WINWORD.EXE, 00000000.00000003.4578537109.0000000012344000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comoi
Source: WINWORD.EXE, 00000000.00000003.4577900963.0000000012344000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comwa
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: WINWORD.EXE, 00000000.00000002.6714078268.00000000103A2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000002.6705702400.000000000D49E000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api747R
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apirue
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000002.6705356970.000000000D3C7000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/K
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comnkJ
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/S
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupse
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsfalse6
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/8B
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://apis.live.net/v5.0/iles3
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selectiongCo
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://augloop.office.com
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comb
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlLettero&
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngmv
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsells
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellt.
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab6
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6704663928.000000000C102000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?
Source: WINWORD.EXE, 00000000.00000002.6705406262.000000000D3DD000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?N
Source: WINWORD.EXE, 00000000.00000002.6697799275.0000000003887000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?ls
Source: WINWORD.EXE, 00000000.00000002.6697991446.00000000038DC000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?s
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/rics
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/thb
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesBearer
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesleHy
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiessh
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosF
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosa
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macw
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx-3317
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://config.edge.skype.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6697799275.0000000003887000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/16.0.11001.20108?&Clientid=%7b18129604-6B45-4242-A17B
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office8M
Source: WINWORD.EXE, 00000000.00000002.6697799275.0000000003887000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office9
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office9
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html:mm
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.htmlasesR;
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705356970.000000000D3C7000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://cr.office.com
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileces
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comt1
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetectA
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comtc
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comP-R-3
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.comP-
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000002.6695495078.0000000002FC0000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android)
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.comtri
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://graph.microsof
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/5
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net)
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/b
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/e
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?W
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d3-3g
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.comP-R-3952
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com-E-2
Source: WINWORD.EXE, 00000000.00000002.6695495078.0000000002FC0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing.i
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtice
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookces
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveces
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comb
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comc
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: WINWORD.EXE, 00000000.00000003.4511410053.000000000D533000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oa
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeADALRedirectUrlExcelurn:ietf:wg:oauth:2.0:oobAD
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeX
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localace
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize23
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3WMr
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeADALClientIdExceld3590ed6-52b3-4102-aeff-aad2292ab0
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeEM
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeabled
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeabled:
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizealer
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeands
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeareia
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeashd
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeate
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaviorwFa
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebled
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebled(
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebledZ
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec2VcV
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecher
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecherA
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizector
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized&
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedCi
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedMx
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedRM
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedy1D
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeople
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeople;
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeopleK
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeerializT
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegic
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeging
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeging6
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegth
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegthdPE
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehbJ
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeic
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeionr
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeionx
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel11o
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel32
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizele
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeled
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledH
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledd
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledg
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledrxc
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledt
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizellab
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenag
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizends8
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizengUI
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenseN
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizents
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenyrEb
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeol11
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeollab
Source: WINWORD.EXE, 00000000.00000002.6695685309.000000000301B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeon
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeonI
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeonyeES
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeorLRM
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizertyH
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizertydDP
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizese=
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeseOfE
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesngRG
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesre
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetaRM
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetartCo&U
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetcher
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetedI
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetei
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetsm
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetsz
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeture
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevc
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevcRM
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeve
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeve1
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeware
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1edd
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://management.azure.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.comb
Source: WINWORD.EXE, 00000000.00000003.4511410053.000000000D533000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://messaging.office.com/
Source: WINWORD.EXE, 00000000.00000003.4511410053.000000000D533000.00000004.00000001.sdmpString found in binary or memory: https://messaging.offiuf
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyon
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: WINWORD.EXE, 00000000.00000002.6695495078.0000000002FC0000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.comd.
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.comu
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/494-194312298-1002_Classes
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/Cs
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/Ls
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4518601576.000000000D619000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4516526816.000000000D533000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.11001.20108&
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rulesle
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/s
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com4ix
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comq
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net-3
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab5-1-4
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/R-35
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0b
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comBingGeospatialServiceKeyAiUYDtsomloBulT2jUfFPb_J0tIqjpPTMfuXbgvzYVdcoGZBp
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comT
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comce
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comd
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.come.net
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeLIRAC
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comect
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comh
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coml
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comote
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comxperim
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comp
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/andsM
Source: 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falsen
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?ir
Source: WINWORD.EXE, 00000000.00000002.6694548228.0000000001620000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/redir?page=view&resid=1229293068B60FF7
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comked.i
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.commW5
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comb
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json3
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/sesb
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/ages
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsd
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000002.6706016546.000000000D51C000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
Source: WINWORD.EXE, 00000000.00000003.4513610008.000000000D6D9000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13ing
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosy
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6705406262.000000000D3DD000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsj
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000002.6705775236.000000000D4D3000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comM9
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.com.
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443Enab
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workation
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocationSolut
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://store.office.cn/addinstemplatee
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/?productgroup=Outlook4
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/addinstemplatek
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplate59-1-
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000000.00000002.6697728786.000000000386E000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite2
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comb
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFiles
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: WINWORD.EXE, 00000000.00000003.4514097764.000000000D627000.00000004.00000001.sdmpString found in binary or memory: https://templatelogging.office.com/client/log-4X
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000002.6705849051.000000000D4EE000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000002.6697610548.0000000003810000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html-4sR
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4515989674.000000000D5A8000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000003.4515081352.000000000D6FE000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ks);
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.6705406262.000000000D3DD000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosjge
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.6698236700.00000000039A3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4511410053.000000000D533000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: WINWORD.EXE, 00000000.00000002.6695495078.0000000002FC0000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: WINWORD.EXE, 00000000.00000002.6705652077.000000000D481000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2deba
Source: WINWORD.EXE, 00000000.00000002.6710108555.000000000E44A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: WINWORD.EXE, 00000000.00000003.4510521845.000000000D53A000.00000004.00000001.sdmp, 88AF1935-3377-4242-B5F5-7BAE9CC3079C.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: WINWORD.EXE, 00000000.00000002.6695902529.0000000003085000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msom.c
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: contract.docOLE, VBA macro line: Public Declare PtrSafe Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Source: contract.docOLE, VBA macro line: Public Declare Function PORDMN2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Source: contract.docOLE, VBA macro line: UserForm2.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm2.TextBox1.Tag + "%")
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: contract.docStream path 'Macros/VBA/Module3' : found possibly 'ADODB.Stream' functions mode, position, open, read, write
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: contract.docStream path 'Macros/VBA/Module3' : found possibly 'WScript.Shell' functions environment, specialfolders, exec, expandenvironmentstrings, environ
Office process drops PE fileShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to dropped file
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: contract.docOLE, VBA macro line: result = FMOD_Sys.tem_CreateStream(System, "../../examples/media/wave.mp3", FMOD_OPENONLY Or FMOD_ACCURATETIME, Sound)
Source: contract.docOLE, VBA macro line: result = FMOD_Sys.tem_Close(System)
Source: contract.docOLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macrosShow sources
Source: contract.docOLE indicator, VBA macros: true
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll 8F7E023DC4DBCDC54EB908B7C1C752A0A1F29BB6521686376F968090549E653E
Sample file is different than original file name gathered from version infoShow sources
Source: contract.docBinary or memory string: OriginalFilenameInitScope.dll. vs contract.doc
Classification labelShow sources
Source: classification engineClassification label: mal100.expl.winDOC@1/19@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{DC933B80-0FE2-4163-BABE-C33E273FDC72} - OProcSessId.datJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: contract.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: contract.docOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
SQL strings found in memory and binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.6708182847.000000000DEFC000.00000004.00000001.sdmpBinary or memory string: INSERT or REPLACE INTO `packages` (`id`, `priority`, `ts`, `tenant`, `version`, `payload`, `Nrecords`, `Nretries`, `inflight`, `attribs`) VALUES (?,?,?,?,?,?,?,?,?,?);
Source: WINWORD.EXE, 00000000.00000002.6708182847.000000000DEFC000.00000004.00000001.sdmpBinary or memory string: INSERT or REPLACE INTO `packages` (`id`, `priority`, `ts`, `tenant`, `version`, `payload`, `Nrecords`, `Nretries`, `inflight`, `attribs`) VALUES (?,?,?,?,?,?,?,?,?,?);y
Source: WINWORD.EXE, 00000000.00000002.6708182847.000000000DEFC000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS `packages` (`id` TEXT PRIMARY KEY,`priority` INTEGER,`ts` INTEGER,`tenant` TEXT,`version` INTEGER,`payload` BLOB,`Nrecords` INTEGER,`Nretries` INTEGER,`inflight` INTEGER);
Source: WINWORD.EXE, 00000000.00000002.6708182847.000000000DEFC000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS `properties` (`key` TEXT,`value` TEXT);
Sample is known by AntivirusShow sources
Source: contract.docVirustotal: Detection: 23%
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Document has a 'bytes' value indicative of goodwareShow sources
Source: contract.docInitial sample: OLE document summary bytes = 88338
Document has a 'subject' value indicative of goodwareShow sources
Source: contract.docInitial sample: OLE summary subject = hdhIi

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEAPI coverage: 0.0 %
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: WINWORD.EXE, 00000000.00000002.6711025100.000000000E6B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WINWORD.EXE, 00000000.00000002.6698016574.00000000038E5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WINWORD.EXE, 00000000.00000002.6711025100.000000000E6B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WINWORD.EXE, 00000000.00000002.6711025100.000000000E6B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WINWORD.EXE, 00000000.00000002.6705533157.000000000D42A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWBg
Source: WINWORD.EXE, 00000000.00000002.6711025100.000000000E6B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to read the PEBShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECode function: 0_2_0BD40830 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000000.00000002.6695366994.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000000.00000002.6695366994.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: WINWORD.EXE, 00000000.00000002.6695366994.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000002.6695366994.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
contract.doc23%VirustotalBrowse
contract.doc100%AviraVBS/Drop.Agent.krmmw
contract.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll27%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
microsoft-hub-us.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
http://schemas.open0%VirustotalBrowse
http://schemas.open0%URL Reputationsafe
https://api.aadrm.com/0%VirustotalBrowse
https://api.aadrm.com/0%URL Reputationsafe
https://onedrive.live.comked.i0%Avira URL Cloudsafe
https://store.officeppe.com/addinstemplate59-1-0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
https://o365diagnosticsppe-web.cloudapp.net-30%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%VirustotalBrowse
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://www.odwebp.svc.ms0%VirustotalBrowse
https://www.odwebp.svc.ms0%URL Reputationsafe
https://management.azure.comb0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
https://substrate.office.comb0%Avira URL Cloudsafe
https://substrate.office.comc0%Avira URL Cloudsafe
https://api.diagnosticssdf.office.comnkJ0%Avira URL Cloudsafe
https://osi.office.netst0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/R-350%Avira URL Cloudsafe
http://schemas.micro0%Avira URL Cloudsafe
http://www.typography.netD0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
195.123.246.12contract.docGet hashmaliciousBrowse
    a.docGet hashmaliciousBrowse
      contract.docGet hashmaliciousBrowse
        contract1.docGet hashmaliciousBrowse
          contract.docGet hashmaliciousBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            microsoft-hub-us.coma.docGet hashmaliciousBrowse
            • 195.123.246.12
            contract.docGet hashmaliciousBrowse
            • 195.123.246.12
            contract1.docGet hashmaliciousBrowse
            • 195.123.246.12
            contract.docGet hashmaliciousBrowse
            • 195.123.246.12

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            unknownPreview_Report.exeGet hashmaliciousBrowse
            • 162.241.226.142
            https://ewartbrownbooks.com/zmxoom/mzooo.php?id=09303094Get hashmaliciousBrowse
            • 107.180.21.19
            00153394 1112019 208 PM.pdfGet hashmaliciousBrowse
            • 3.3.0.2
            Preview_Report.exeGet hashmaliciousBrowse
            • 162.241.226.142
            contract.docGet hashmaliciousBrowse
            • 195.123.246.12
            http://tekonva-dot-yamm-track.appspot.comGet hashmaliciousBrowse
            • 172.217.23.193
            https://officemt3tmvhmj5d96gm1e.z13.web.core.windows.net/index.php?c=mboyd@specs.caGet hashmaliciousBrowse
            • 52.239.247.97
            https://www.microsoftpoll.com/wix/p3093162695.aspx?__sid__=SmPTpZzy4At0SGr_d8qY7HZIc2_0egt_lz8X3ewL4r1KkCCeF8OBotenTTn3by8-7dZ1maZwnwSnhXrzqmAhmA2&l=19Get hashmaliciousBrowse
            • 52.50.192.220
            27b788.docGet hashmaliciousBrowse
            • 91.149.157.60
            1#New_Records_Apple-ID#Support-10AB.pdfGet hashmaliciousBrowse
            • 3.3.0.2
            INV_009481.pdfGet hashmaliciousBrowse
            • 3.3.0.2
            R19340003422.docGet hashmaliciousBrowse
            • 91.218.114.31
            DNSBench.exeGet hashmaliciousBrowse
            • 192.168.2.2
            DAT.docGet hashmaliciousBrowse
            • 150.95.113.30
            DAT.docGet hashmaliciousBrowse
            • 66.96.147.96
            DAT.docGet hashmaliciousBrowse
            • 104.18.56.96
            https://msecure4.z19.web.core.windows.net/Get hashmaliciousBrowse
            • 104.19.196.151
            a.docGet hashmaliciousBrowse
            • 195.123.246.12
            http://pingclock.netGet hashmaliciousBrowse
            • 172.241.69.28
            contract.docGet hashmaliciousBrowse
            • 195.123.246.12

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            ce5f3254611a8c095a3d821d4453987741colors.exeGet hashmaliciousBrowse
            • 195.123.246.12
            Resume.docGet hashmaliciousBrowse
            • 195.123.246.12
            Shasta resume.docGet hashmaliciousBrowse
            • 195.123.246.12
            40group.exeGet hashmaliciousBrowse
            • 195.123.246.12
            mtwvc.exeGet hashmaliciousBrowse
            • 195.123.246.12
            SCAN DOC.exeGet hashmaliciousBrowse
            • 195.123.246.12
            malware.docmGet hashmaliciousBrowse
            • 195.123.246.12
            1050_7044_2663.cplGet hashmaliciousBrowse
            • 195.123.246.12
            docs_939v.993cv93.exeGet hashmaliciousBrowse
            • 195.123.246.12
            V7ewCsfEpV.exeGet hashmaliciousBrowse
            • 195.123.246.12
            https://u3446753.ct.sendgrid.net/wf/click?upn=smp0-2BUhTkseXhJKG9whoQ6ZCx0d-2Fp-2BLz-2FtbQLXa2kKM98GXQkjvQVaW2k7eTXtZ5ch4SbSVHWPRI9Gsq2ihXbg-3D-3D_O7ROD4svS-2BWtZVG4Rcp0Qi9t-2FvFmW6RVwIOeJatN7aN1ERGWsP5WZcj-2FyJoE8xT2vUBcaqvF9fl6vqP5cExOPO-2BhIPHcaitr-2BCMEyNzKgzBeWmVvTiRCWMRLg1Hur-2F8o4Iw0bLXTSw63ze3JnYnTJ-2B0QNa20AoNmNgmitCp-2FVyjwoZ9Yd9pkeyBmdEXMxDsWlk9Dl0OXH72YPpmLxAVUlG0Hx6MalSrfo-2FWQ9lNpoVo-3DGet hashmaliciousBrowse
            • 195.123.246.12
            malware.exeGet hashmaliciousBrowse
            • 195.123.246.12
            6c0b790269.exeGet hashmaliciousBrowse
            • 195.123.246.12
            http://review6.com/wp-content/uploads/2019/07/sdlfkjwo4iufjsdlks.exeGet hashmaliciousBrowse
            • 195.123.246.12
            QuickBooks.vbsGet hashmaliciousBrowse
            • 195.123.246.12
            order_091019.xlsGet hashmaliciousBrowse
            • 195.123.246.12
            order_091019.xlsGet hashmaliciousBrowse
            • 195.123.246.12
            https://hec.su/oWaHGet hashmaliciousBrowse
            • 195.123.246.12
            frAtvwpiNF.xlsGet hashmaliciousBrowse
            • 195.123.246.12
            order-N289.xlsGet hashmaliciousBrowse
            • 195.123.246.12

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dllcontract.docGet hashmaliciousBrowse
              a.docGet hashmaliciousBrowse
                contract.docGet hashmaliciousBrowse
                  contract1.docGet hashmaliciousBrowse
                    contract.docGet hashmaliciousBrowse

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.