Windows Analysis Report
cbH3TvDB3v.doc

Overview

General Information

Sample Name: cbH3TvDB3v.doc
Analysis ID: 647425
MD5: 4d5da2273e2d7cce6ac37027afd286af
SHA1: 85a659971ad5aea58ff20a078532e688f7e1659b
SHA256: 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
Tags: matanbuchusmsisignedWesteastTechConsultingCorp
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document contains OLE streams with names of living off the land binaries
PE / OLE file has an invalid certificate
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: cbH3TvDB3v.doc Virustotal: Detection: 12% Perma Link
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: winword.exe Memory has grown: Private usage: 0MB later: 63MB
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.aadrm.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.aadrm.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.office.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.onedrive.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://augloop.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cdn.entity.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://config.edge.skype.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cortana.ai/api
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://cr.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dev.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://devnull.onenote.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://directory.services.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://graph.windows.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://graph.windows.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://invites.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://lifecycle.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://login.windows.local
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://management.azure.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://management.azure.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://messaging.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ncus.contentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://officeapps.live.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://onedrive.live.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://osi.office.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office365.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office365.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://roaming.edog.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://settings.outlook.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://staging.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://tasks.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://wus2.contentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr String found in binary or memory: https://www.odwebp.svc.ms

System Summary
barindex
Document contains OLE streams with names of living off the land binaries
Source: cbH3TvDB3v.doc Stream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl
Source: ~DFE82BBEEE0183323C.TMP.0.dr Stream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl
PE / OLE file has an invalid certificate
Source: cbH3TvDB3v.doc Static PE information: invalid certificate
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: cbH3TvDB3v.doc OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFE82BBEEE0183323C.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: cbH3TvDB3v.doc Virustotal: Detection: 12%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{944E30E7-F839-4F57-808E-44253C669FE6} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: classification engine Classification label: mal52.winDOC@1/16@0/0
Source: cbH3TvDB3v.doc OLE document summary: edited time not present or 0
Source: ~DFE82BBEEE0183323C.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: cbH3TvDB3v.doc.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\cbH3TvDB3v.doc
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: cbH3TvDB3v.doc Initial sample: OLE summary comments = Adobe Font Pack
Source: cbH3TvDB3v.doc Initial sample: OLE summary template = Intel;1033
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: cbH3TvDB3v.doc Initial sample: OLE summary keywords = Installer
Source: cbH3TvDB3v.doc Initial sample: OLE summary subject = Adobe Font Pack 3.0.12.9
Source: cbH3TvDB3v.doc Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: cbH3TvDB3v.doc Stream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)
Source: ~DFE82BBEEE0183323C.TMP.0.dr Stream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647425 Sample: cbH3TvDB3v.doc Startdate: 17/06/2022 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Document contains OLE streams with names of living off the land binaries 2->12 5 WINWORD.EXE 41 48 2->5         started        process3 file4 8 C:\Users\user\AppData\...\cbH3TvDB3v.doc.LNK, MS 5->8 dropped
No contacted IP infos