Analysis Report 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx

Overview

General Information

Sample Name: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx
Analysis ID: 358573
MD5: 14b364f395dd53fa6b36d00e46c514da
SHA1: 0b97138df21f05c020e43f2c882694bdc805c4a1
SHA256: 1f39fb321c3902a9506b3f3529f5fdbf868053018099991d95e254596658bdfd
Infos:

Most interesting Screenshot:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains an external reference to another document
Phishing site detected (based on logo template match)
Allocates a big amount of memory (probably used for heap spraying)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Phishing:

barindex
Phishing site detected (based on logo template match)
Source: https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/ Matcher: Template: microsoft matched
Source: https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/ HTTP Parser: No <meta name="copyright".. found
Source: https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/ HTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 34.253.10.100:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.253.10.100:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.192:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.192:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.3:49805 version: TLS 1.2

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: winword.exe Memory has grown: Private usage: 0MB later: 94MB

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.118.185.161 40.118.185.161
Source: Joe Sandbox View IP Address: 151.101.1.192 151.101.1.192
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: downloads[1].htm.13.dr String found in binary or memory: <li><a href="https://www.twitter.com/inetsrv/" class="twitter">Twitter</a></li> equals www.twitter.com (Twitter)
Source: de-ch[1].htm.13.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/85288795/coreui.statics/images/social/facebook.png" alt="Facebook"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.13.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/93690392/coreui.statics/images/social/twitter.png" alt="Twitter"> equals www.twitter.com (Twitter)
Source: de-ch[1].htm.13.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/b23f9ba2/coreui.statics/images/social/linkedin.png" alt="LinkedIn"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.13.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/c79952ca/coreui.statics/images/social/youtube.png" alt="Youtube"> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.13.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2532198d/coreui.statics/images/social/facebook.svg"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.13.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2d505657/coreui.statics/images/social/youtube.svg"> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.13.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/413bd4a8/coreui.statics/images/social/linkedin.svg"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.13.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/6f40299c/coreui.statics/images/social/twitter.svg"> equals www.twitter.com (Twitter)
Source: de-ch[1].htm.13.dr String found in binary or memory: <a data-m='{"id":"n1m1r6a2","sN":1,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.facebook.com/microsoftschweiz" title="Microsoft auf Facebook folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.13.dr String found in binary or memory: <a data-m='{"id":"n3m1r6a2","sN":3,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.linkedin.com/company/1035" title="Microsoft auf LinkedIn folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.13.dr String found in binary or memory: <a data-m='{"id":"n4m1r6a2","sN":4,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.youtube.com/user/MicrosoftCH" title="Microsoft auf YouTube folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: lemontree1.sharepoint.com
Source: docons.225ca470[1].eot.13.dr String found in binary or memory: http://fontello.com
Source: docons.225ca470[1].eot.13.dr String found in binary or memory: http://fontello.comIcon
Source: main.min[1].js.13.dr String found in binary or memory: http://gambit.ph
Source: de-ch[1].htm.13.dr String found in binary or memory: http://github.com/aFarkas/lazysizes
Source: downloadshome[1].js.13.dr String found in binary or memory: http://github.com/jquery/jquery-tmpl
Source: 17-f90ef1[1].js.13.dr String found in binary or memory: http://github.com/requirejs/almond/LICENSE
Source: de-ch[1].htm.13.dr String found in binary or memory: http://github.com/requirejs/domReady
Source: de-ch[1].htm.13.dr String found in binary or memory: http://github.com/requirejs/requirejs/LICENSE
Source: 65-478888[1].css.13.dr String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1LLAb
Source: scripts-jquery-validate[1].js.13.dr String found in binary or memory: http://jqueryvalidation.org/
Source: aspnet[1].htm.13.dr String found in binary or memory: http://letslearndotnet.splashthat.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: f0a172e9.index-polyfills[1].js.13.dr String found in binary or memory: http://purl.eligrey.com/github/classList.js/blob/master/classList.js
Source: configuration[1].htm.13.dr String found in binary or memory: http://schema.org/BreadcrumbList
Source: de-ch[1].htm.13.dr, configuration[1].htm.13.dr String found in binary or memory: http://schema.org/Organization
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: social[1].js.13.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: configuration[1].htm.13.dr String found in binary or memory: https://aka.ms/sitefeedback
Source: analytics[1].js.13.dr String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr String found in binary or memory: https://anywhere.webrootcloudav.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.aadrm.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.cortana.ai
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.office.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.onedrive.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: de-ch[1].htm.13.dr String found in binary or memory: https://assets.onestore.ms
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://augloop.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: aspnet[1].htm.13.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: iframe[1].htm.13.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: login[1].htm.13.dr String found in binary or memory: https://blogs.iis.net
Source: downloads[1].htm.13.dr, 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/adminapi
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/bariscaglar/iisadministration-powershell-cmdlets-new-feature-in-windows-10-ser
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/davidso/http2
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/feed/recent-posts.xml
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/iisteam/introducing-iis-cors-1-0
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://blogs.iis.net/iisteam/introducing-iisadministration-in-the-powershell-gallery
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net/iisteam/url-rewrite-v2-1
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://blogs.iis.net:443/peterviola/Resolving-IIS-WMSVC-Underlying-Connection-Was-Closed
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cdn.entity.
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: de-ch[1].htm.13.dr String found in binary or memory: https://channel9.msdn.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://clients.config.office.net/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: downloads[1].htm.13.dr String found in binary or memory: https://code.visualstudio.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://config.edge.skype.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: downloads[1].htm.13.dr String found in binary or memory: https://consentdeliveryfd.azurefd.net/mscc/lib/v2/wcp-consent.js
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cortana.ai
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cortana.ai/api
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://cr.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dev.cortana.ai
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://devnull.onenote.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://directory.services.
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://docs.micr
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://docs.microsoft
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://dotnet.microso
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: aspnet[1].htm.13.dr String found in binary or memory: https://forums.asp.net/
Source: login[1].htm.13.dr String found in binary or memory: https://forums.iis.net
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/1080.aspx
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/members/$
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/members/fajner.aspx
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/members/lextm.aspx
Source: downloads[1].htm.13.dr String found in binary or memory: https://forums.iis.net/members/saucecontrol.aspx
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr String found in binary or memory: https://g59.p4.webrootcloudav.com
Source: general.min[1].js.13.dr, bootstrap-custom.min[1].css.13.dr String found in binary or memory: https://getbootstrap.com/)
Source: 8c3bc838.index-docs[1].js.13.dr String found in binary or memory: https://github.com/
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/IIS.Administration-docs/blob/225791e1b7c98133f66b982bf4a28e95832e8b
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/IIS.Administration-docs/blob/live/IIS-Administration/index.md
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/IIS.Administration-docs/blob/master/IIS-Administration/index.md
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/22f8c6108ea9ed9330333ede82568276a3162b34/iis/configur
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/6f3b6fb492d7b76ff12d33db587c74bf9990bcf6/iis/get-star
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/live/iis/configuration/index.md
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/live/iis/get-started/whats-new-in-iis-10-version-1709
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/master/iis/configuration/index.md
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/MicrosoftDocs/iis-docs/blob/master/iis/get-started/whats-new-in-iis-10-version-17
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/Rich-Lang
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/Rich-Lang.png?size=32
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/Rick-Anderson
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/Rick-Anderson.png?size=32
Source: main.min[1].js.13.dr String found in binary or memory: https://github.com/imakewebthings/waypoints/blob/master/licenses.txt
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/jimmyca15
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/jimmyca15.png?size=32
Source: main.min[1].js.13.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/mairaw
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/mairaw.png?size=32
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/neusamir
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/neusamir.png?size=32
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/nschonni
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://github.com/nschonni.png?size=32
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/shirhatti
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://github.com/shirhatti.png?size=32
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/terrimorton
Source: configuration[1].htm.13.dr String found in binary or memory: https://github.com/terrimorton.png?size=32
Source: general.min[1].js.13.dr, bootstrap-custom.min[1].css.13.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: general.min[1].js.13.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: main.min[1].js.13.dr String found in binary or memory: https://github.com/wilddeer/stickyfill
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://graph.windows.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://graph.windows.net/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: aspnet[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE3NYMe?ver=7b0e&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DRie?ver=f61d&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DfTp?ver=8993&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4E4rT?ver=2072&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4H9G0?ver=5bb0&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4HCqV?ver=5c59&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4MEu6?ver=f30c&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4MWFF?ver=02a7&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Mznr?ver=36b6&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4N4wN?ver=bafb&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pkvE?ver=d8fc&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pndL?ver=5217&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pxBu?ver=eae5&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4qZxW?ver=11cf&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rriw?ver=b2d5&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rzE2?ver=aa0b&amp;q=
Source: de-ch[1].htm.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQDc?ver=30c2&amp;q=
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: general.min[1].js.13.dr String found in binary or memory: https://jquery.com/
Source: general.min[1].js.13.dr String found in binary or memory: https://jquery.org/license
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://lifecycle.office.com
Source: login[1].htm.13.dr String found in binary or memory: https://login-iis.azureedge.net/resources/v-2021-01-05-001/iis/style/css-bundle/common.css
Source: login[1].htm.13.dr String found in binary or memory: https://login-iis.azureedge.net/resources/v-2021-01-05-001/scripts/html5.js
Source: login[1].htm.13.dr String found in binary or memory: https://login-iis.azureedge.net/resources/v-2021-01-05-001/scripts/iis/scripts-bundle/scripts-all.js
Source: login[1].htm.13.dr String found in binary or memory: https://login-iis.azureedge.net/resources/v-2021-01-05-001/scripts/respond.min.js
Source: login[1].htm.13.dr String found in binary or memory: https://login-iis.azureedge.net/resources/v-2021-01-05-001/scripts/scripts-bundle/scripts-jquery-val
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://login.iis.net/
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://login.iis.net/account/lo
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://login.iis.net/account/loRoot
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr, signin[1].htm.13.dr String found in binary or memory: https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/0Login
Source: imagestore.dat.13.dr String found in binary or memory: https://login.iis.net/favicon.ico
Source: imagestore.dat.13.dr String found in binary or memory: https://login.iis.net/favicon.ico~
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://login.iis.net/login/signin.aspx?ReturnUrl=https://www.iis.net/
Source: downloads[1].htm.13.dr String found in binary or memory: https://login.iis.net/login/signin.aspx?ReturnUrl=https://www.iis.net/downloads
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://login.windows.local
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: iframe[1].htm.13.dr String found in binary or memory: https://lpcdn.lpsnmedia.net
Source: iframe[1].htm.13.dr String found in binary or memory: https://lpcdn.lpsnmedia.net/le_unified_window/9.12.0.19-release_4769/resources/loader_on_warmGray5_7
Source: IIS-Administration[1].htm.13.dr String found in binary or memory: https://manage.iis.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://management.azure.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://management.azure.com/
Source: de-ch[1].htm.13.dr String found in binary or memory: https://mem.gfx.ms
Source: de-ch[1].htm.13.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=MSHomePage&amp;market=de-ch&amp;uhf=1
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://messaging.office.com/
Source: de-ch[1].htm.13.dr String found in binary or memory: https://microsoftwindows.112.2o7.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://officeapps.live.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://onedrive.live.com
Source: de-ch[1].htm.13.dr String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: de-ch[1].htm.13.dr String found in binary or memory: https://outlook.live.com/owa/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://outlook.office.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://outlook.office365.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: downloads[1].htm.13.dr String found in binary or memory: https://php.iis.net/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://privacy.micros
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: de-ch[1].htm.13.dr String found in binary or memory: https://products.office.com/de-ch/academic/compare-office-365-education-plans
Source: aspnet[1].htm.13.dr String found in binary or memory: https://products.office.com/en-us/business/office
Source: de-ch[1].htm.13.dr String found in binary or memory: https://publisher.liveperson.net
Source: de-ch[1].htm.13.dr String found in binary or memory: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&amp;lpsection=store-sales
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&lpsection=store-sales-de-
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: iframe[1].htm.13.dr String found in binary or memory: https://release.moscnuat.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: de-ch[1].htm.13.dr String found in binary or memory: https://schema.org/ItemList
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://settings.outlook.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: general.min[1].js.13.dr String found in binary or memory: https://sizzlejs.com/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr String found in binary or memory: https://skyversion.webrootcloudav.com
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://sn.webrootclou
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr String found in binary or memory: https://sn.webrootcloudav.com
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://sn.webrootcloudav.com/
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://sn.webrootcloudav.com/$IIS
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://sn.webrootcloudav.com/Root
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://sn.webrootcloudav.com/favicon.ico
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://sn.webrootcloudav.com/oudav.com/
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://sn.webrootcloudav.com/p
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: aspnet[1].htm.13.dr String found in binary or memory: https://stackoverflow.com/questions/tagged/.net?sort=frequent
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://staging.cortana.ai
Source: analytics[1].js.13.dr String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://tasks.office.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: new-features-introduced-in-iis-10-1709[1].htm.13.dr String found in binary or memory: https://tools.ietf.org/html/rfc6797
Source: de-ch[1].htm.13.dr String found in binary or memory: https://twitter.com/microsoft_ch
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: de-ch[1].htm.13.dr String found in binary or memory: https://ussearchprod.trafficmanager.net/services/api/v1.0/store/categories
Source: iframe[1].htm.13.dr String found in binary or memory: https://va.idp.liveperson.net
Source: iframe[1].htm.13.dr String found in binary or memory: https://va.msg.liveperson.net
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr String found in binary or memory: https://wf.webrootanywhere.com
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: downloads[1].htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/css-bundle/downloads.css
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/css-bundle/home.css
Source: downloads[1].htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/images/iis_tile.png
Source: downloads[1].htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/scripts-bundle/downloadshome.js
Source: downloads[1].htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/scripts-bundle/html5.js
Source: downloads[1].htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/scripts-bundle/jquery-3.5.1.min.js
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://www-iis.azureedge.net/v-2021-01-05-01/scripts-bundle/main.js
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.clarity.ms/tag/
Source: downloads[1].htm.13.dr String found in binary or memory: https://www.effectusmedia.com/?site=iis#contactus
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.google-analytics.com
Source: google-analytics.min[1].js.13.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: analytics[1].js.13.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.13.dr String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.googletagmanager.com
Source: analytics[1].js.13.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KJT5FH2
Source: login[1].htm.13.dr String found in binary or memory: https://www.iis.net
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://www.iis.net/?u
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/?utm_medium=iis-deployment
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/?utm_medium=iis-deployment#hero
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/?utm_medium=iis-deployment#herojH
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/?utm_medium=iis-deploymentLHome
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/?utm_medium=iis-deployment~
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/LHome
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/com/de-ch/n?ReturnUrl=https://www.iis.net/
Source: downloads[1].htm.13.dr, login[1].htm.13.dr String found in binary or memory: https://www.iis.net/configreference
Source: downloads[1].htm.13.dr String found in binary or memory: https://www.iis.net/contact
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://www.iis.net/do
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr, login[1].htm.13.dr String found in binary or memory: https://www.iis.net/downloads
Source: 6RJ6ZB23.htm.13.dr String found in binary or memory: https://www.iis.net/downloads/microsoft/iis-compression
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/downloadsVDownloads
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/downloadsus/IIS-Administration/
Source: ~DF3D8F722CCD3B64D6.TMP.12.dr String found in binary or memory: https://www.iis.net/downloadsus/IIS-Administration/crosoft.com/favicon.ico
Source: imagestore.dat.13.dr String found in binary or memory: https://www.iis.net/favicon.ico
Source: imagestore.dat.13.dr String found in binary or memory: https://www.iis.net/favicon.ico~
Source: downloads[1].htm.13.dr, login[1].htm.13.dr String found in binary or memory: https://www.iis.net/learn
Source: downloads[1].htm.13.dr String found in binary or memory: https://www.iis.net/terms-of-use
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.instagram.com/microsoftch/
Source: template.min[1].js.13.dr String found in binary or memory: https://www.jsdelivr.com/using-sri-with-dynamic-files
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.linkedin.com/company/1035
Source: {3A9550E0-77F5-11EB-90E4-ECF4BB862DED}.dat.12.dr String found in binary or memory: https://www.microsoft.
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/cart
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/checkout
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/accessories/surface
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/accessories/xbox
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/surface
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/xbox
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/microsoft-365/microsoft-365
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/software/microsoft-365
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/surface
Source: iframe[1].htm.13.dr String found in binary or memory: https://www.microsoftstore.com.cn/xbox
Source: C35D0C9B-162A-4BE1-BAF9-F09B9C11FBF9.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.skype.com/de/
Source: BOWGV9MI.htm.13.dr String found in binary or memory: https://www.surveymonkey.com/r/netcoresupport_dotnetwebsite
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.techempower.com/benchmarks/#hw=ph&test=plaintext
Source: aspnet[1].htm.13.dr String found in binary or memory: https://www.techempower.com/benchmarks/#section=data-r19&hw=ph&test=plaintext
Source: downloads[1].htm.13.dr String found in binary or memory: https://www.twitter.com/inetsrv/
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.xbox.com/
Source: de-ch[1].htm.13.dr String found in binary or memory: https://www.youtube.com/user/MicrosoftCH
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 34.253.10.100:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.253.10.100:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.192:443 -> 192.168.2.3:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.192:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.3:49805 version: TLS 1.2

System Summary:

barindex
Tries to load missing DLLs
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal52.phis.evad.winDOCX@8/188@16/7
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{B616670E-846B-481D-899F-F4D9052F2A82} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = word/_rels/header1.xml.rels
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = word/media/image3.jpeg
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/itemProps4.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/item3.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = docProps/custom.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/item2.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/_rels/item4.xml.rels
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: 2021-02-18 Fivoor - Overleg - Kwartaaloverleg.docx Initial sample: OLE zip file path = customXml/item4.xml
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Contains an external reference to another document
Source: settings.xml.rels Binary or memory string: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="https://lemontree1.sharepoint.com/sites/Sjablonen/OfficeTemplates/Projectmanagement/Plan%20van%20aanpak%20Migratie_Klantnaam_Projectnaam_YYYYMMDD.dotx" TargetMode="External"/></Relationships>

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr Binary or memory string: Daarna kan ook de VMWare update verder uitgevoerd worden.
Source: ~WRS{31CB24EF-1DEB-4C38-BB46-32AB8B1362AD}.tmp.0.dr Binary or memory string: Het VDI cluster kan door (oudere) Dell compute nodes niet verder geupgrade worden dan een bepaalde VMWare versie (ESXi 6.5). Deze is momenteel nog wel in support (Support eindigt op 15-11-2021).

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358573 Sample: 2021-02-18 Fivoor - Overleg... Startdate: 25/02/2021 Architecture: WINDOWS Score: 52 25 www.iis.net 2->25 27 waws-prod-bay-029.sip.azurewebsites.windows.net 2->27 29 iis-umbraco.azurewebsites.net 2->29 43 Contains an external reference to another document 2->43 45 Phishing site detected (based on logo template match) 2->45 7 WINWORD.EXE 47 78 2->7         started        10 iexplore.exe 2 67 2->10         started        signatures3 process4 dnsIp5 31 lemontree1.sharepoint.com 7->31 33 avatars.githubusercontent.com 7->33 41 2 other IPs or domains 7->41 12 MSOSYNC.EXE 5 12 7->12         started        14 MSOSYNC.EXE 2 3 7->14         started        35 microsoftwindows.112.2o7.net 10->35 37 mem.gfx.ms 10->37 39 assets.onestore.ms 10->39 16 iexplore.exe 6 194 10->16         started        process6 dnsIp7 19 waws-prod-bay-029.sip.azurewebsites.windows.net 40.118.185.161, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->19 21 github.com 140.82.121.3, 443, 49789, 49790 GITHUBUS United States 16->21 23 21 other IPs or domains 16->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.118.185.161
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
151.101.1.192
 unknown United States
54113 FASTLYUS false
140.82.121.3
 unknown United States
36459 GITHUBUS false
34.253.10.100
 unknown United States
16509 AMAZON-02US false
192.229.221.185
 unknown United States
15133 EDGECASTUS false
185.199.108.133
 unknown Netherlands
54113 FASTLYUS false
152.199.21.175
 unknown United States
15133 EDGECASTUS false

Contacted Domains

Name IP Active
sni1gl.wpc.gammacdn.net 152.199.21.175 true
avatars.githubusercontent.com 185.199.108.133 true
microsoftwindows.112.2o7.net 15.237.136.106 true
github.com 140.82.121.3 true
asp.net 40.118.185.161 true
cs1227.wpc.alphacdn.net 192.229.221.185 true
liveperson.map.fastly.net 151.101.1.192 true
waws-prod-bay-029.sip.azurewebsites.windows.net 40.118.185.161 true
sn.webrootcloudav.com 34.253.10.100 true
logincdn.msauth.net unknown unknown
www.asp.net unknown unknown
login.iis.net unknown unknown
assets.onestore.ms unknown unknown
lemontree1.sharepoint.com unknown unknown
mem.gfx.ms unknown unknown
www.iis.net unknown unknown
publisher.liveperson.net unknown unknown
dc.services.visualstudio.com unknown unknown
consentdeliveryfd.azurefd.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.iis.net/?utm_medium=iis-deployment false
    		high
    https://login.iis.net/account/login?ReturnUrl=https://www.iis.net/ false
      		high