Loading ...

Play interactive tourEdit tour

Analysis Report VERDI.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193292
Start date:03.12.2019
Start time:06:50:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 52s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:VERDI.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.expl.winDOC@3/18@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Found warning dialog
  • Click Ok
  • Found warning dialog
  • Click Ok
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.76.6, 52.109.8.21, 52.114.132.74
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, prod.nexusrules.live.com.akadns.net, prd.col.aria.mobile.skypedata.akadns.net, pipe.skype.com, config.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, pipe.cloudapp.aria.akadns.net
  • Execution Graph export aborted for target WINWORD.EXE, PID 2232 because there are no executed function
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold640 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsScripting11Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingProcess Discovery1Remote File Copy3Data from Local SystemData CompressedRemote File Copy3Data Destruction
Replication Through Removable MediaExploitation for Client Execution2Port MonitorsAccessibility FeaturesProcess Injection2Network SniffingApplication Window Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2Data Encrypted for Impact
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionScripting11Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol12Disk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: VERDI.docAvira: detection malicious, Label: W97M/Dldr.Sload.xgajl
Multi AV Scanner detection for submitted fileShow sources
Source: VERDI.docVirustotal: Detection: 42%Perma Link
Machine Learning detection for sampleShow sources
Source: VERDI.docJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 192.119.106.235:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 192.119.106.235:80

Networking:

barindex
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /mswordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.119.106.235Connection: Keep-Alive
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Source: unknownTCP traffic detected without corresponding DNS query: 192.119.106.235
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /mswordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.119.106.235Connection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: WINWORD.EXE, 00000000.00000002.2247318221.000000000F89E000.00000004.00000001.sdmpString found in binary or memory: LinkedIn equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.2231855167.000000000015A000.00000004.00000020.sdmpString found in binary or memory: api/v1/linkedin/associations equals www.linkedin.com (Linkedin)
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2019 05:51:39 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Content-Length: 211Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 77 6f 72 64 75 70 64 2e 74 6d 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.2246411782.000000000F632000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241490869.000000000C6F3000.00000004.00000001.sdmpString found in binary or memory: http://192.119.106.235/mswordupd.tmp
Source: WINWORD.EXE, 00000000.00000002.2248176952.000000000FB0A000.00000004.00000001.sdmpString found in binary or memory: http://192.119.106.235/mswordupd.tmp%(
Source: WINWORD.EXE, 00000000.00000002.2246411782.000000000F632000.00000004.00000001.sdmpString found in binary or memory: http://192.119.106.235/mswordupd.tmpIL
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
Source: WINWORD.EXE, 00000000.00000002.2234312885.00000000029E4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.co
Source: WINWORD.EXE, 00000000.00000002.2234312885.00000000029E4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesil
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagramngU
Source: WINWORD.EXE, 00000000.00000002.2240883032.000000000C525000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxB
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: WINWORD.EXE, 00000000.00000002.2243702255.000000000D666000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api;
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api=
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiB
Source: WINWORD.EXE, 00000000.00000003.1758654729.000000000C7EF000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241817254.000000000C7EA000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apis
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241490869.000000000C6F3000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com0a#
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comI
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comK
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets9206-2-7?
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports39
Source: WINWORD.EXE, 00000000.00000002.2231855167.000000000015A000.00000004.00000020.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/x
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selectioner
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteB
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://augloop.office.com
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comK
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlnging
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellctureA:
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellof
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000003.1755442729.000000000C643000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240347364.000000000B3E6000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?
Source: WINWORD.EXE, 00000000.00000002.2240968895.000000000C559000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?4
Source: WINWORD.EXE, 00000000.00000002.2234216370.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?IOUG
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab?S
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abB
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/I
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/pand
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieseda
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesnc
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macK~
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxP-
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://config.edge.skype.com
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234216370.00000000029A0000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241817254.000000000C7EA000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/16.0.11001.20108?&Clientid=
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240883032.000000000C525000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office/16.0.11001.20108?&Clientid=%7b48479AB2-136A-47BD-A72E
Source: WINWORD.EXE, 00000000.00000002.2234216370.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/OfficeJq
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.htmlAs
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.htmlAPId.
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241490869.000000000C6F3000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://cr.office.com
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileebSockeQ
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comg8
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comgp
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comsJ
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comt
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFiletij
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies-
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/d
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetectG
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_S(
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comedK
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com-3
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.comP
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidue
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.come
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/K
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/K
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/e
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryhtOfficeOnlineContenthttps://insertmedi
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.comsB
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dege
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentImageshttps://hubbl
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?g
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp:
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingy
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtesXl
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebooksXld
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivePptme
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTssl.
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMM=
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comK
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/pand
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize7/S
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize99I
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localace
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.neW
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$T
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%;m
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)&Y
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3WM
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4;
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8&H
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA9
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN/
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOfCi
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP9
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ8
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU$
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW&
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebledy
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeck
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeckRM;
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized$
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedcf
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedlab
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedled
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedlin9
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedond
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeed
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeop-e
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef&
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegic.
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegicV
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeic
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize6
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek$
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel/
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel11F
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeled4
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledr
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeller
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizends
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizentse
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizentst
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeorLRM
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq-
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: WINWORD.EXE, 00000000.00000003.1758102116.000000000C727000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer11n
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes/
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizess
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeta
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev9
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew8
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez$
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmp, WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SS
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://management.azure.com
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/(
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.comK
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://messaging.office.com/
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyNakU
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.com.dll
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000003.1759825465.000000000F475000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com.
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com.D
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/
Source: WINWORD.EXE, 00000000.00000003.1759007068.000000000F463000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/#
Source: WINWORD.EXE, 00000000.00000003.1757654485.000000000F442000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/9
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241447469.000000000C6DB000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.11001.20108&
Source: WINWORD.EXE, 00000000.00000003.1759825465.000000000F475000.00000004.00000001.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comS
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net~
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abB
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/:
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0b
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com80v
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com:
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comAccesssI
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comBingGeospatialService
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comCirclesH
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comCopyFoo
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comCpLimS
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comDeepes
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comEnablesq
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comEnsureJey
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comGrammaG
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comMetrics
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comMsoPerso/
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comShowAc)
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comalsAndCiE
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comalueCircw
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comap
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comarMaskFa
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comcbackSg
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comckSave
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comctDIBFro
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.come.net
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeFullLr
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeLIRAC
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeLIRAT
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeResum
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comeckSam5
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comentFlag
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comg
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comhotoBmpF
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comhotoHelpQ
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comiForCr
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comifyVerr
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comingRMD?
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comirclesHr
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comistForHo
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comnamicC
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comntFlag
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comnts
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comransit
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comrclePhot
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comsoPerson
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtFlag
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtUseIC
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comteRect
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comtedMRUDek
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comvityInte
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/Q
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseGra
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000000.00000003.1759825465.000000000F475000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?w
Source: WINWORD.EXE, 00000000.00000002.2231617256.0000000000080000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/redir?page=view&resid=1229293068B60FF7
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comx
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comK
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json)
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/ft#
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonffice
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControlB8
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000002.2241909005.000000000C82F000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13age
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosmpb
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectB
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonW
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comSL
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:14432n
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workcD:
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/works
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocationnU
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/?productgroup=OutlookB
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpString found in binary or memory: https://store.office.com/addinstemplateC?
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplate39
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comK
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comL
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comrl
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilegr
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comL
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmpString found in binary or memory: https://templatelogging.office.com/client/logR-3
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlfn
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000002.2241405267.000000000C6CA000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlice
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000003.1759390680.000000000F479000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesV
Source: WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000002.2240696735.000000000C4B0000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video/G
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ics.En
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.2240773231.000000000C4E7000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosup2xD
Source: WINWORD.EXE, 00000000.00000003.1758290759.000000000F411000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2245292924.000000000F350000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: WINWORD.EXE, 00000000.00000003.1758511996.000000000C74B000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000003.1756476033.000000000C7CD000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: WINWORD.EXE, 00000000.00000002.2241206372.000000000C60E000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2deBa
Source: WINWORD.EXE, 00000000.00000002.2234312885.00000000029E4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: WINWORD.EXE, 00000000.00000003.1759277907.000000000C79F000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.2233872730.0000000002854000.00000004.00000001.sdmp, EE65EA40-6FFF-4DFB-887C-FA5F9B3645C6.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: VERDI.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: VERDI.docOLE, VBA macro line: URLDownloadToFile 0, v1, v2, 0, 0
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Jbrw23, String urldownloadtofile: URLDownloadToFile 0, v1, v2, 0, 0
Document contains embedded VBA macrosShow sources
Source: VERDI.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: VERDI.docOLE indicator has summary info: false
Source: VERDI.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: VERDI.docOLE indicator application name: unknown
Source: VERDI.docOLE indicator application name: unknown
Classification labelShow sources
Source: classification engineClassification label: mal64.expl.winDOC@3/18@0/1
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{B29DA57E-4471-4AF2-891F-E7F244DCF483} - OProcSessId.datJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: VERDI.docOLE document summary: title field not present or empty
Source: VERDI.docOLE document summary: author field not present or empty
Source: VERDI.docOLE document summary: edited time not present or 0
Source: VERDI.docOLE document summary: title field not present or empty
Source: VERDI.docOLE document summary: author field not present or empty
Source: VERDI.docOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
SQL strings found in memory and binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.2247009473.000000000F7C9000.00000004.00000001.sdmpBinary or memory string: INSERT or REPLACE INTO `packages` (`id`, `priority`, `ts`, `tenant`, `version`, `payload`, `Nrecords`, `Nretries`, `inflight`, `attribs`) VALUES (?,?,?,?,?,?,?,?,?,?);
Source: WINWORD.EXE, 00000000.00000002.2247009473.000000000F7C9000.00000004.00000001.sdmpBinary or memory string: INSERT or REPLACE INTO `packages` (`id`, `priority`, `ts`, `tenant`, `version`, `payload`, `Nrecords`, `Nretries`, `inflight`, `attribs`) VALUES (?,?,?,?,?,?,?,?,?,?);ceO
Source: WINWORD.EXE, 00000000.00000002.2247252648.000000000F881000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS `packages` (`id` TEXT PRIMARY KEY,`priority` INTEGER,`ts` INTEGER,`tenant` TEXT,`version` INTEGER,`payload` BLOB,`Nrecords` INTEGER,`Nretries` INTEGER,`inflight` INTEGER);
Source: WINWORD.EXE, 00000000.00000002.2247318221.000000000F89E000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS `properties` (`key` TEXT,`value` TEXT);
Sample is known by AntivirusShow sources
Source: VERDI.docVirustotal: Detection: 42%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32
Uses Rich Edit ControlsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Document is a ZIP file with path names indicative of goodwareShow sources
Source: VERDI.docInitial sample: OLE zip file path = word/media/image1.wmf
Source: VERDI.docInitial sample: OLE zip file path = word/media/image4.jpeg
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: VERDI.docInitial sample: OLE indicators vbamacros = False

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 984
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: WINWORD.EXE, 00000000.00000002.2242816060.000000000D230000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WINWORD.EXE, 00000000.00000002.2234530267.0000000002A7A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WINWORD.EXE, 00000000.00000002.2242816060.000000000D230000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WINWORD.EXE, 00000000.00000002.2242816060.000000000D230000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WINWORD.EXE, 00000000.00000002.2242816060.000000000D230000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000000.00000002.2232677599.00000000010C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000000.00000002.2232677599.00000000010C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: WINWORD.EXE, 00000000.00000002.2232677599.00000000010C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000002.2232677599.00000000010C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
06:51:28API Interceptor999x Sleep call for process: splwow64.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VERDI.doc43%VirustotalBrowse
VERDI.doc100%AviraW97M/Dldr.Sload.xgajl
VERDI.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.microsoft0%VirustotalBrowse
http://crl.microsoft0%URL Reputationsafe
https://o365diagnosticsppe-web.cloudapp.net~0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/OneNoteB0%Avira URL Cloudsafe
https://devnull.onenote.comMBI_SSL_S(0%Avira URL Cloudsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://api.aadrm.com/0%VirustotalBrowse
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com0a#0%Avira URL Cloudsafe
https://api.onedrive.comK0%Avira URL Cloudsafe
https://shell.suite.office.com:14432n0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%VirustotalBrowse
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://management.azure.comK0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
http://microsoft.co0%VirustotalBrowse
http://microsoft.co0%Avira URL Cloudsafe
https://dataservice.o365filtering.comgp0%Avira URL Cloudsafe
https://www.odwebp.svc.ms0%VirustotalBrowse
https://www.odwebp.svc.ms0%URL Reputationsafe
http://192.119.106.235/mswordupd.tmp%(0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
https://substrate.office.comL0%Avira URL Cloudsafe
https://substrate.office.comK0%Avira URL Cloudsafe
https://dataservice.o365filtering.comg80%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
https://outlook.office.comK0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
https://globaldisco.crm.dynamics.come0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
192.119.106.235VERDI.docGet hashmaliciousBrowse

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownVERDI.docGet hashmaliciousBrowse
    • 192.119.106.235
    ORDER_IMAGES_20108.docGet hashmaliciousBrowse
    • 162.144.128.116
    915.exeGet hashmaliciousBrowse
    • 14.102.249.147
    915.exeGet hashmaliciousBrowse
    • 112.213.106.150
    VM- 21-11-2019 - Missed Call.htmGet hashmaliciousBrowse
    • 46.149.115.114
    http://url7050.microsoftaccountactivities.com/wf/click?upn=4k2-2F1WrnSGbkq14RZIa3TyCnW7mzRsQmtY4-2F1ptosk9K24NM18HM-2Furnn9juKSAwdeScYIZAkNda1HtQpXEYTlpozzFRqjM1N5g-2FG3WbL3k-3D_5w-2BFcaNq82qXD2HgdzlE4rOAaUDin4UQptcww6LJZQPBIl-2BTp4nbAotUZSp0Io3602VK5YSrDvF7zQxMgo-2Bfo0pepZIcGwS9U3TRPiAh0uV90P-2BXl5L2wyRz76E7Exf-2BgREEboUp5n-2B3Yiqd91TAC2gRrnx1TFS0V9kH3ew0jLucFBYtIbIbKSiQZMVgrVg2w6-2BvD08FA0FFEIVkaoEe2gc-2BSj1UwcFX7kCGU0VwcWqRh6Nbg3WgcSjDn9RmisWtSn7OnMMYTTipRCov27PKbz-2BDSu8YXU-2BI32vGFO7sM0ss9PWksQAlwRk85-2FHMlsHyuJttqt2l0XqZUouk2SxmCSe7iZyRJAJp9asJ2x0fbv55GrIXvhSz-2BBcp1ag57EbWf2gwBrVrmihQ-2Bv4kh3PTdbjrd-2Bo41gwZsbpK8kwcKd9zDOM4pUe-2B9gBTPV-2FGwLFKWhqvsgJcUkTtmDhKygHXffa-2Fr6Sfiui5adNBugks-2FbT7heWDenP73C-2BXdjJDEnPwfQtwKzSIW7vpiG119WPxbTBsXCWs0sL1akAkOgmdtW1RWAGFWL1Te14zTscnE5YLOT7-2B4cRb90GhmC-2Fnsct7Lw-3D-3DGet hashmaliciousBrowse
    • 167.89.115.56
    http://2fa.com-token-auth.com/XYWNh0aW9uPWn9wZW4mcmaVjaXBpthZW50tX2lkPTUzaODckzNTA1MiZjYW1wYWlnubl9ydW5faWQ9MjU5NzM3MQ==Get hashmaliciousBrowse
    • 54.88.231.54
    http://2fa.com-token-auth.com/XYWNn0aW9uPWaNsaWNrJnbVybD1ocudHRwkczovL3NldY3sVyZWQtbG9naW4ubmV0nL3BhZ2VzL2YwZTVkNmE1YzMzNSZyZWNpcGllbnRfaWQ9NTM4OTM1MDUyJmNhbXBhaWduX3J1bl9pZD0yNTk3MzcxGet hashmaliciousBrowse
    • 35.156.37.214
    FileZilla_3.45.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
    • 136.243.154.122
    QPE-011219 UFKJ-021219.docGet hashmaliciousBrowse
    • 190.5.162.204
    NF-8233 Medical report p2.docGet hashmaliciousBrowse
    • 205.144.171.72
    http://r20.rs6.net/tn.jsp?f=001D1XLQE3ZjXzgwTs6nHI6RYbH3b4SXqPzGbZarKsffD47NA5r3pqgtDlFZ673V1vYrJvxWSNvvqLRQppp6LYUMi-22aIiEeVfSEb7Bc2ugrOAD9gcIuxWcnKx9Wa9sx8vs_0VAviwSBkj2D0DL1pHpKHSwFPU3g_f&c=h7JmDAAK_nA8eA-_jh3KFz7S9_PQyJS7Hyeema4LbJsgkde-Dn_nig==&ch=ZLeavC3pcNI1Oa87RpxBZ619N_MCFfplW1lvWq4GSLIxLv2FlcOCdg==Get hashmaliciousBrowse
    • 208.75.122.11
    INV0ICE_.EXEGet hashmaliciousBrowse
    • 194.5.97.34
    https://xurl.es/5d6r3Get hashmaliciousBrowse
    • 104.28.28.62
    http://122.228.19.80Get hashmaliciousBrowse
    • 122.228.19.80
    d.exeGet hashmaliciousBrowse
    • 156.67.222.222
    d.exeGet hashmaliciousBrowse
    • 156.67.222.222
    Document for review appraisal.exeGet hashmaliciousBrowse
    • 194.35.114.15
    https://shahrearwpd.com//#waterquality@gswater.comGet hashmaliciousBrowse
    • 213.136.72.26

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.