Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
cve-2025-21298-poc.rtf

Overview

General Information

Sample name:cve-2025-21298-poc.rtf
Analysis ID:1598431
MD5:9d68678aeee52684bbe3c983222b1da3
SHA1:ba3ae643e20a26aca550b6888d9107e5d434959c
SHA256:93ef57b81021be174e33b5b48c1aed525d2785c3607aeb540508bb3713690179
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Document exploit detected (process start blacklist hit)
AV process strings found (often used to terminate AV products)
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
One or more processes crash
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6752 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • WerFault.exe (PID: 7384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4476 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4528 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cve-2025-21298-poc.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xe:$obj1: \objhtml
  • 0x4a:$obj2: \objdata
  • 0x22:$obj3: \objupdate

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Software Vulnerabilities
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prpoint
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prpoint
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.f
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesA
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidese
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000D0C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.s
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxZ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingp
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadU6
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedJ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query07
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeE7
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeV7-
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryU
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comMipSdkProtectionService.ai
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comeB
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.stor
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000CFC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aiW
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comC
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/fileO
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/filev
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comH
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comb
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comu
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com4
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netX
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net_
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netn
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.neto
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets02
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.scheduler.
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://app.powerbi.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop-dogfood.officeppe.com
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop-int.officeppe.com
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.comtion
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://canary.designerapp.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module=3
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module=3m$X
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontsW4.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assetsK$
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assetsV$
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen/%
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screenx$K
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fontsh
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abQ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/1#
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/P#
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryk7Z
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation9
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/es
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/f
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FC87000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesE
Source: WINWORD.EXE, 00000000.00000003.1895705530.000000000D08F000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D08F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesnQ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosp
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Officez
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents&6
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consentsD6;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consentsj6Y
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consentst7K
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/api
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aif
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aihUrl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.comY
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.so
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com#
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/jHQ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.comn
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile%E
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesYm
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.net7
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerappservice.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aiX
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aio
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetectV
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetecto
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000002.2004229406.0000000003480000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/skydocsservice.svcliento.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=Edge-Prod-EWR30r4c&FrontEnd=A
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designert
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FC65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/word/16.0.16827.20130/Production/
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D0B8000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2008276683.0000000012B44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net//N.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1a)
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1r)1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1C)
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1f
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1g
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626n
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/r
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmlO:1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/TN#
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/xI_
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com002e
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechQ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechz
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fs.m
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fs.microso
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.comom
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/L=1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/W=
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/e
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.nett
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com756634-1002
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000CFC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comp
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/u4L
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryP;)
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d=3
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dxes
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=13e
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1ideb
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconsOffice
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimagesDlH
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideosboV
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.coma
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.coml
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.come
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppI
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bings/Mi
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FD59000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtPo$
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookffice
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickru
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivetsP
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia)
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/Yn:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechH
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.comM
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000D0C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/s
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comcX
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoft.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/organizations5
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/organizationsg
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.comPI
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windo
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD59000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(p
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)q(
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.r%
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/s&
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=r
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?p
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC~2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeHrG
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeKqJ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeL~C
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeYp8
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZq9
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_r6
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedpk
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizejri
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetInfo
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/G5
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.comx
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/E=:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.comh
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator3
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorl
Source: WINWORD.EXE, 00000000.00000002.2008100099.0000000012A9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/
Source: WINWORD.EXE, 00000000.00000002.2012027576.00000000130F5000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1893793769.00000000130DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/
Source: WINWORD.EXE, 00000000.00000003.1894918451.00000000157F4000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2015088771.00000000157F4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery16
Source: WINWORD.EXE, 00000000.00000003.1894918451.00000000157F4000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2015088771.00000000157F4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery16Ok
Source: WINWORD.EXE, 00000000.00000003.1894918451.00000000157F4000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2015088771.00000000157F4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery16l
Source: WINWORD.EXE, 00000000.00000003.1894918451.00000000157F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery?6
Source: WINWORD.EXE, 00000000.00000002.2015088771.000000001581A000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2008276683.0000000012B44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=8192&uilcid=103
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FDBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net:4432476756634-1002
Source: WINWORD.EXE, 00000000.00000003.1894918451.000000001581A000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2015088771.000000001581A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.netllMes
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mobile.events.datj
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mss.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mss.office.comF
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechc
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.contentsync.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Registers.dll
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD59000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o15.officer-V
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell:
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpselldll
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/-
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FB45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FB3B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com(Z
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comC
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comI
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comU
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comg
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comk
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comm
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comw
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FC87000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com~
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/?
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/j
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-askso
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionalitymX86
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comIO0
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comvOE
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesG;
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated6
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated=3l
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities=3Ls
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesv=3
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseA
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.azureedge.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com#
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comB2BBAE
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comE
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comtQ
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FC87000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectors
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectorsS
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.comf
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/IsH
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/zsY
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsceSl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsondll
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsondllcr
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FB45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://planner.cloud.microsoft
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://planner.cloud.microsoft9
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControli
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8K&=
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net5N
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerlift.acompli.net
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerlift.acompli.netl
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectksj
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp10022
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net&
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/models1002f
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/modelsR
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.neten?
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com4
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/
Source: WINWORD.EXE, 00000000.00000002.2003730856.00000000013CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/_i
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://settings.outlook.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://shell.suite.office.com:1443
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workq%4
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aiUrl
Source: WINWORD.EXE, 00000000.00000002.2004796114.000000000CFC0000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004229406.0000000003504000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: WINWORD.EXE, 00000000.00000002.2004229406.0000000003504000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: WINWORD.EXE, 00000000.00000002.2004229406.0000000003504000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: WINWORD.EXE, 00000000.00000002.2004229406.0000000003504000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: WINWORD.EXE, 00000000.00000002.2004796114.000000000CFC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.azure.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.cn/ad
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.de/add
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accessss
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory=)
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init4
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initH
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com1
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com8
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comO
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comP
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comhy
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.coml
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comrl(
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comu
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comv
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.o365syncservice.com/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilet
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templatesmetadata.office.net/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/e5
Source: WINWORD.EXE, 00000000.00000003.1894918451.00000000157C6000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2015088771.00000000157C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.edog.cdn.office.net/mirrored/smartlookup/current//F
Source: WINWORD.EXE, 00000000.00000002.2014890807.0000000015751000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1893581234.0000000015733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.edog.cdn.office.net/mirrored/smartlookup/current/C&E
Source: WINWORD.EXE, 00000000.00000002.2014724722.0000000015682000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1893880186.000000001566A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.edog.cdn.office.net/mirrored/smartlookup/current/U
Source: WINWORD.EXE, 00000000.00000002.2014038910.00000000152E7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.edog.cdn.office.net/mirrored/smartlookup/current/en_
Source: WINWORD.EXE, 00000000.00000002.2014038910.00000000152E7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.edog.cdn.office.net/mirrored/smartlookup/current/nt/y
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlfEX
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlHoL
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlts
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesd4
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/T:&
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comx
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios:%
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.contentsync.
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000003.1895705530.000000000D08F000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D08F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.odwebp.svc.ms0
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.odwebp.svc.msom
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yammer.com
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yammer.comh
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.comd

System Summary

barindex
Source: cve-2025-21298-poc.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: WER2D41.tmp.xml.7.drOLE indicator, VBA macros: true
Source: WER2D41.tmp.xml.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4476
Source: cve-2025-21298-poc.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: classification engineClassification label: mal52.expl.winRTF@4/6@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$e-2025-21298-poc.rtfJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{2FFE59CF-66DB-49E2-95E5-69C2DB2EF0BC} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4476
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4528
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000CFC9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
Source: Amcache.hve.7.drBinary or memory string: VMware
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: WINWORD.EXE, 00000000.00000002.2008276683.0000000012B44000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\OH
Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: WINWORD.EXE, 00000000.00000002.2004843549.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000003.1895705530.000000000D0C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} }
Source: Amcache.hve.7.drBinary or memory string: vmci.sys
Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: VMware20,1
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts1
Exploitation for Client Execution		1
Scripting		1
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1598431 Sample: cve-2025-21298-poc.rtf Startdate: 24/01/2025 Architecture: WINDOWS Score: 52 12 Malicious sample detected (through community Yara rule) 2->12 14 Document exploit detected (process start blacklist hit) 2->14 6 WINWORD.EXE 102 52 2->6         started        process3 process4 8 WerFault.exe 3 16 6->8         started        10 WerFault.exe 2 6->10         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cve-2025-21298-poc.rtf5%VirustotalBrowse
cve-2025-21298-poc.rtf0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://olkflt.edog.f0%Avira URL Cloudsafe
https://mobile.events.datj0%Avira URL Cloudsafe
https://incidents.diagnosticssdf.office.come0%Avira URL Cloudsafe
https://substrate.office.comrl(0%Avira URL Cloudsafe
https://mss.office.comF0%Avira URL Cloudsafe
https://visio.uservoice.com/forums/368202-visio-on-devicesd40%Avira URL Cloudsafe
https://substrate.office.comhy0%Avira URL Cloudsafe
https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8K&=0%Avira URL Cloudsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD0%Avira URL Cloudsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechQ0%Avira URL Cloudsafe
https://planner.cloud.microsoft90%Avira URL Cloudsafe
https://notification.m365.svc.cloud.microsoft/PushNotifications.Registers.dll0%Avira URL Cloudsafe
https://syncservice.o365syncservice.com/0%Avira URL Cloudsafe
https://cortana.aif0%Avira URL Cloudsafe
https://api.microsoftstream.com40%Avira URL Cloudsafe
https://api.cortana.aiW0%Avira URL Cloudsafe
https://substrate.office.coml0%Avira URL Cloudsafe
https://cr.office.so0%Avira URL Cloudsafe
https://outlook.office.comtQ0%Avira URL Cloudsafe
https://entitlement.diagnostics.office.com002e0%Avira URL Cloudsafe
https://substrate.office.comv0%Avira URL Cloudsafe
https://substrate.office.comu0%Avira URL Cloudsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsondll0%Avira URL Cloudsafe
https://graph.ppe.windows.net/L=10%Avira URL Cloudsafe
https://management.azure.comh0%Avira URL Cloudsafe
https://graph.windows.nett0%Avira URL Cloudsafe
https://substrate.office.comP0%Avira URL Cloudsafe
https://api.diagnosticssdf.office.comu0%Avira URL Cloudsafe
https://globaldisco.crm.dynamics.comom0%Avira URL Cloudsafe
https://powerlift.acompli.netl0%Avira URL Cloudsafe
https://substrate.office.comO0%Avira URL Cloudsafe
https://api.diagnosticssdf.office.comb0%Avira URL Cloudsafe
https://login.windo0%Avira URL Cloudsafe
https://outlook.office.comB2BBAE0%Avira URL Cloudsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/zsY0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://visio.uservoice.com/forums/368202-visio-on-devicesd4WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://substrate.office.comhyWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://shell.suite.office.com:1443WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
    		high
    https://designerapp.azurewebsites.netWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
      		high
      https://api.diagnosticssdf.office.com/v2/filevWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
        		high
        https://autodiscover-s.outlook.com/WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
          		high
          https://useraudit.o365auditrealtimeingestion.manage.office.comWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            https://outlook.office365.com/connectorsWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrWINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://cdn.entity.WINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://clients.config.office.net/user/v1.0/android/policiesEWINWORD.EXE, 00000000.00000002.2006940690.000000000FC87000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://olkflt.edog.fWINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://incidents.diagnosticssdf.office.comeWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://login.microsoftonline.com/organizations5WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://clients.config.office.net/user/v1.0/android/policiesnQWINWORD.EXE, 00000000.00000003.1895705530.000000000D08F000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2004843549.000000000D08F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://mobile.events.datjWINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://substrate.office.comrl(WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://api.aadrm.com/WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://canary.designerapp.WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://mss.office.comFWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8K&=WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.yammer.comWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesWINWORD.EXE, 00000000.00000002.2006940690.000000000FCEE000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppWINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://cr.office.comWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://substrate.office.com/search/api/v2/initHWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://otelrules.svc.static.microsoftWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechQWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://login.windows.net/common/oauth2/authorizeHrGWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryk7ZWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickruWINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://management.azure.com/E=:WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://planner.cloud.microsoft9WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://substrate.office.com/search/api/v2/init4WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://consent.config.office.com/consentweb/v1.0/consentst7KWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://res.getmicrosoftkey.com/api/redemptioneventsWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://my.microsoftpersonalcontent.comWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://notification.m365.svc.cloud.microsoft/PushNotifications.Registers.dllWINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://login.windows.net/common/oauth2/authorize$WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://syncservice.o365syncservice.com/WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cortana.aifWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://login.windows.net/common/oauth2/authorize&WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://insertmedia.bing.office.net/odc/insertmedia)WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://login.windows.net/common/oauth2/authorizetInfoWINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.microsoftstream.com4WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://api.cortana.aiWWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://outlook.office.comtQWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://substrate.office.comlWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://api.diagnosticssdf.office.com/v2/fileOWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cr.office.soWINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://entitlement.diagnostics.office.com002eWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://api.powerbi.com/v1.0/myorg/groupsWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://web.microsoftstream.com/video/WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://substrate.office.comvWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://substrate.office.comuWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://graph.ppe.windows.net/L=1WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsondllWINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://login.windows.net/common/oauth2/authorize?pWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://login.microsoftonline.com/organizationsgWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://management.azure.comhWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://login.windows.net/common/oauth2/authorize)q(WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://graph.windows.nettWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://d.docs.live.netWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile%EWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://safelinks.protection.outlook.com/api/GetPolicyWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ncus.contentsync.WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://graph.windows.net/W=WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://api.diagnosticssdf.office.comuWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://weather.service.msn.com/data.aspxWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://substrate.office.comPWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://substrate.office.comOWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://consent.config.office.com/consentcheckin/v1.0/consents&6WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorize_r6WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://mss.office.comWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://prod.support.office.com/InAppHelp10022WINWORD.EXE, 00000000.00000002.2006940690.000000000FD02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.windows.net/common/oauth2/authorizeaWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://wus2.contentsync.WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizedWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://powerlift.acompli.netlWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://globaldisco.crm.dynamics.comomWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://login.windows.net/common/oauth2/authorizeeWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://api.diagnosticssdf.office.combWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://clients.config.office.net/user/v1.0/iosWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize.r%WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.net/common/oauth2/authorizefWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizegWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://login.windoWINWORD.EXE, 00000000.00000002.2006940690.000000000FD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://login.windows.net/common/oauth2/authorizeYWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office.comB2BBAEWINWORD.EXE, 00000000.00000002.2006940690.000000000FCA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://outlook.office.com#WINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ovisualuiapp.azurewebsites.net/pbiagave/zsYWINWORD.EXE, 00000000.00000002.2006940690.000000000FE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    No contacted IP infos

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                    Analysis ID:1598431
                                                                                                                                    Start date and time:2025-01-24 08:59:58 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 5m 26s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:14
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:cve-2025-21298-poc.rtf
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal52.expl.winRTF@4/6@0/0
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .rtf
                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                    • Unable to detect Microsoft Word
                                                                                                                                    • Close Viewer
                                                                                                                                    • Corrupt sample or wrongly selected analyzer.
                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 104.208.16.94, 2.21.65.149, 2.21.65.130, 20.189.173.20, 184.28.90.27, 20.190.160.20, 172.202.163.200, 13.107.253.61
                                                                                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-config.officeapps.live.com, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, onedsblobprdcus16.centralus.cloudapp.azure.com, ecs.office.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, e26769.dscb.akamaiedge.net, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                    • Execution Graph export aborted for target WINWORD.EXE, PID 6752 because there are no executed function
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    03:01:10API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    No context

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASNs

                                                                                                                                    No context

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_4c51989eb87b82ecdfdef729b8c80b72daf73c7_da822be2_3faca58d-f1f9-4c0b-96a1-ebdfa875c8d1\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.8046682468675377
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:eap+o2tMb7jLo+wR2Aob2mpBGsOJOa9Zd/rzuiFFY4IO8Ha:e7tMb7jFCmMzuiFFY4IO8
                                                                                                                                    MD5:073FCFB7DB35638B997C5CDE8973B909
                                                                                                                                    SHA1:82550A19A8CF19F691D55D0C4D216DE3F493365E
                                                                                                                                    SHA-256:C58B79CB7F24D2DB02A22437938D3333AA604601D7D23AD03D1F808F180456FB
                                                                                                                                    SHA-512:1CEC67275AA2B894D4739F9245BCB7EACE51BD129DA3AE30D32C5742A97C8D065CE59E090ED6E73FAC384168EB2CFF5582AC47711120C298BB7A3702F4D54EEA
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.1.7.9.2.5.7.8.9.2.0.1.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.1.7.9.2.5.9.2.2.0.1.3.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.a.c.a.5.8.d.-.f.1.f.9.-.4.c.0.b.-.9.6.a.1.-.e.b.d.f.a.8.7.5.c.8.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.1.8.2.9.5.3.-.2.c.b.3.-.4.1.4.f.-.8.b.9.6.-.0.a.7.c.9.3.3.3.b.7.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.I.N.W.O.R.D...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.n.W.o.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.0.-.0.0.0.1.-.0.0.1.4.-.5.3.1.9.-.c.6.1.5.3.6.6.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.a.d.9.7.6.e.e.3.1.0.3.2.b.5.a.2.0.f.2.1.0.0.7.9.9.9.6.6.e.0.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.4.c.1.8.b.8.a.2.e.d.6.0.f.b.8.2.f.9.4.4.0.a.0.c.c.9.7.7.e.c.2.1.2.9.f.1.2.b.a.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER28BB.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Fri Jan 24 08:00:58 2025, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):398140
                                                                                                                                    Entropy (8bit):2.3480850279346863
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:RMPuWvoeYbgfr0d9eld9TW83N/hbhXmwP6UK2zPYsx6UNH+4:RQuWZYbgTo4JT/d/hbhmelzmUNH+4
                                                                                                                                    MD5:F8186B7DBCE19F223505E50A0FB4FD96
                                                                                                                                    SHA1:A107773B84EAA42E6A4B44992AED48EAACBE765C
                                                                                                                                    SHA-256:E34E4BCEF85CBB347D6203F6AACFF0D0E6E0CA2F2C09BCDE3E159C1B3DDB1FA6
                                                                                                                                    SHA-512:1FB8C2BA085AF7CFCC18F78743DDB4A3EF1A6DBB353AA01CDC4DC430FBB4BAC29800A42E00A183C060451EE8B795B9087960113DD34867632BFF910EB2CDAEA5
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:MDMP..a..... ........H.g........................L?..............DK......d..............`.......8...........T...........H....d...........L...........M..............................................................................eJ.......N......GenuineIntel............T.......`....H.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D21.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):9090
                                                                                                                                    Entropy (8bit):3.7148683815268497
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJ5q6j6YXeSU7jH8gmf8fZ3y1Hprq89bEQsfcsm:R6lXJ06j6YOSU7jH8gmf8fZ3y15Ejfu
                                                                                                                                    MD5:C93B1199740A4F68D0BAA3F8B4CADDFD
                                                                                                                                    SHA1:E534F91517234E8B26097868D3911B3E7703B510
                                                                                                                                    SHA-256:AA25B5F13F353D494CE5BE82C035F5F4F61394FF8D8C0F642F8F031BB23A945F
                                                                                                                                    SHA-512:D83EC67ED8562B2B6BFFA39F31387A7EC56FC121385B62DF6E6272B74584D0BBD507F25F8E5534373EC22F8926603BA546BC8ED31A6375ED455B2779899965F7
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.2.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D41.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5166
                                                                                                                                    Entropy (8bit):4.5644540963218425
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsVJg77aI98A4XWpW8VYhYm8M4JjJSkK6FrQ+BYi8qwTEKHG5fgsMGh3d:uIjfvI76A4m7V5JjwAQKwO7MGh3d
                                                                                                                                    MD5:19C773AED1CB4149675CC2DB28D608E1
                                                                                                                                    SHA1:35263E32941AFD9ACFE87D63776C1284646E589B
                                                                                                                                    SHA-256:42D35A301A7A244EF253855FC36640000ACFE531AE09798927364E01E1FF7112
                                                                                                                                    SHA-512:D26F0F0A52074AD703F2231A9E55F1E37BE8CB0FE0DC5FC9E4C3702D43FBECD6CD407D54E355B7DB3F7904A0233BC7AC5E6F7CA2E6BE8366C3323FCCC14F6DDA
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="689703" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\Users\user\Desktop\~$e-2025-21298-poc.rtf

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):162
                                                                                                                                    Entropy (8bit):3.7291046365020546
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:KVGl/lilKlRAGlUVdXVBY9/t4ltGmZg/lFDDIn:KVy/4KDezYFu40gly
                                                                                                                                    MD5:0DD3AECDE4579578C0B891B231C40A97
                                                                                                                                    SHA1:C44F5C72FA5C03709E0E7B173C6AA7B29F053C1C
                                                                                                                                    SHA-256:90FB0C7DA43CF43836D05950749CADBA0E1FB6726DCC8070A79BD308E3F31CAF
                                                                                                                                    SHA-512:7DAA1A00854F0446C8A52E8A2BF6E32109374C0740C66BF895A137761465C0C7228539890779E3DE5A3D0EE41253D8002BDE7E94D16ECF7492F8ECC9DFD5D278
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:.user..................................................j.o.n.e.s...a00.02000000.00000000.}.}}................x...6n..3V..........6n......z.1i.!/.}.uj.........=3j

                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1835008
                                                                                                                                    Entropy (8bit):4.4629320143555
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:mIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WAB30uN2dwBCswSbn:LXD94+WlLZMM6YXHg+n
                                                                                                                                    MD5:1B56803257E1E186A3AC221C899A68C1
                                                                                                                                    SHA1:637EB13D33A6788274A5937688139C1A96813229
                                                                                                                                    SHA-256:CEA19C6371F01702A07064D48EC5F1EB87A26C4BBFAE7499DC850596F04A5F81
                                                                                                                                    SHA-512:5B3DFED6D4400BB991320D569B63D196205FA3578C1623CDB1C411C1FAE729D951BB80EC9CC9B4B3CB0B185A5546CA77A60C629CCDF2B9A40F0E63AE408446D3
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf.H.6n................................................................................................................................................................................................................................................................................................................................................_-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:Rich Text Format data, version 1
                                                                                                                                    Entropy (8bit):3.715350055101278
                                                                                                                                    TrID:
                                                                                                                                    • Rich Text Format (5005/1) 55.56%
                                                                                                                                    • Rich Text Format (4004/1) 44.44%
                                                                                                                                    File name:cve-2025-21298-poc.rtf
                                                                                                                                    File size:221 bytes
                                                                                                                                    MD5:9d68678aeee52684bbe3c983222b1da3
                                                                                                                                    SHA1:ba3ae643e20a26aca550b6888d9107e5d434959c
                                                                                                                                    SHA256:93ef57b81021be174e33b5b48c1aed525d2785c3607aeb540508bb3713690179
                                                                                                                                    SHA512:16e5a46e946363d5ecbe5e9b8a38503123d9d98756a13a9bc8d1a092e82af9660192c6d0c576ccd498c0aedf4a14e8f63c318936fc6487dc38c72fdc42246876
                                                                                                                                    SSDEEP:3:gOVAGaI6vUvuvX+xReRQGJ/ecPBEmrd3V8CLRBgTfVdVDVfVdVwFt3dXVBYv:9AFQfxR4F/jExCL40Yv
                                                                                                                                    TLSH:3BD08C44E00FCEA7E10C180128AFB07E28203C439BC826413662B07646C04EE2C3C46A
                                                                                                                                    File Content Preview:{\rtf1{\object\objhtml\objw1\objh1\objupdate\rsltpict{\*\objclass None}{\*\objdata 0105000002000000.0a000000.53746174696344696200.00000000.00000000.04000000.00000000.00000000.05000000.02000000.aa00.02000000.00000000.}.}}.

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:35e1cc889a8a8599

                                                                                                                                    Static RTF Info

                                                                                                                                    Objects

                                                                                                                                    IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                    00000004Eh2embeddedStaticDib4no

                                                                                                                                    Network Behavior

                                                                                                                                    No network behavior found

                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    050100150s020406080100

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    050100150s0.0020406080MB

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    • File
                                                                                                                                    • Registry

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:03:00:51
                                                                                                                                    Start date:24/01/2025
                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                    Imagebase:0x7a0000
                                                                                                                                    File size:1'620'872 bytes
                                                                                                                                    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Section Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Registry Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    COM Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Thread Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Memory Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    System Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Windows UI Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:03:00:56
                                                                                                                                    Start date:24/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4476
                                                                                                                                    Imagebase:0xc20000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true
                                                                                                                                    Show Windows behavior

                                                                                                                                    File Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Section Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Registry Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Mutex Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Process Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Thread Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Memory Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    System Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Windows UI Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                    General

                                                                                                                                    Target ID:10
                                                                                                                                    Start time:03:01:11
                                                                                                                                    Start date:24/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 4528
                                                                                                                                    Imagebase:0xc20000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Section Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Mutex Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Process Activities

                                                                                                                                    Show Windows behavior

                                                                                                                                    Thread Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    Show Windows behavior

                                                                                                                                    Windows UI Activities

                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                    Disassembly

                                                                                                                                    No disassembly