Loading ...

Play interactive tour

Edit tour

Windows Analysis Report CRE Cash Flow - ETBF - Becker.xls

Overview

General Information

Sample Name:	CRE Cash Flow - ETBF - Becker.xls
Analysis ID:	438536
MD5:	0d701f8c3fd87eb9f1ff112dd917831e
SHA1:	4f25bbee69dd003073220de14e3d1c4bb2d20c11
SHA256:	bbb844c0d0874ef8c925e61ba1bb094f29fca834d534357208541c866292182a
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

×

Process Tree

System is w10x64

EXCEL.EXE (PID: 5400 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.office.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://augloop.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cdn.entity.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cortana.ai
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://cr.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://directory.services.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://graph.windows.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://login.windows.local
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://management.azure.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://management.azure.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://tasks.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 3E833812-6C07-409C-BE20-4C84188792F7.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: classification engine

Classification label: clean0.winXLS@1/2@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{5714FB7E-D260-4C42-A854-191AFBFB100C} - OProcSessId.dat

Jump to behavior

Source: CRE Cash Flow - ETBF - Becker.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: CRE Cash Flow - ETBF - Becker.xls

Initial sample: OLE summary lastprinted = 2021-03-10 17:03:02

Source: CRE Cash Flow - ETBF - Becker.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Virustotal		Browse
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://login.microsoftonline.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://shell.suite.office.com:1443	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://autodiscover-s.outlook.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://cdn.entity.	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://powerlift.acompli.net	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://cortana.ai	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://api.aadrm.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://api.microsoftstream.com/api/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://cr.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://graph.ppe.windows.net	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://officeci.azurewebsites.net/api/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://store.office.cn/addinstemplate	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://globaldisco.crm.dynamics.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://store.officeppe.com/addinstemplate	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://web.microsoftstream.com/video/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://graph.windows.net	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://dataservice.o365filtering.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://ncus.contentsync.	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
http://weather.service.msn.com/data.aspx	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://apis.live.net/v5.0/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://management.azure.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://wus2.contentsync.	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://api.office.net	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://incidents.diagnosticssdf.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://entitlement.diagnostics.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://outlook.office.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://templatelogging.office.com/client/log	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://outlook.office365.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://webshell.suite.office.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://management.azure.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://devnull.onenote.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://ncus.pagecontentsync.	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://messaging.office.com/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://augloop.office.com/v2	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://skyapi.live.net/Activity/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://dataservice.o365filtering.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://directory.services.	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high
https://staging.cortana.ai	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	3E833812-6C07-409C-BE20-4C84188792F7.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	438536
Start date:	22.06.2021
Start time:	18:17:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CRE Cash Flow - ETBF - Becker.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLS@1/2@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, HxTsr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 23.211.6.115, 204.79.197.200, 13.107.21.200, 52.109.88.177, 52.109.12.22, 52.109.12.24, 23.35.236.56, 184.24.3.140, 13.107.42.23, 13.107.5.88, 20.82.210.154, 51.103.5.159, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.211, 80.67.82.235, 51.103.5.186 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, nexus.officeapps.live.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3E833812-6C07-409C-BE20-4C84188792F7 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134914
Entropy (8bit):	5.367827177253041
Encrypted:	false
SSDEEP:	1536:+cQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:qEQ9DQW+zvXO1
MD5:	BBDA4BF055F1AE7C207F573798F1F22D
SHA1:	76B8AD81B99B273606E4134F232D1354E2D3EF0F
SHA-256:	6200D156C883F2D00A05ADBFA500D76A4F9EBBF1AF704AE61EB9D44C10FC0273
SHA-512:	1AE3D795F9FCC6D7618A50E27E2AB28DC1ACA38AF5CBA1B24FC7F47B30622E0546C132BF915311D1839FEE213140694313CD9141DFD9EC245B2CBC6CF0169F26
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-22T16:18:46">.. Build: 16.0.14221.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....p.r.a.t.e.s.h.....

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Employee, Last Saved By: David G. Schreiber, Name of Creating Application: Microsoft Excel, Last Printed: Wed Mar 10 17:03:02 2021, Create Time/Date: Thu Nov 8 15:24:39 2001, Last Saved Time/Date: Tue Jun 22 16:39:09 2021, Security: 0
Entropy (8bit):	2.9256624131355142
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	CRE Cash Flow - ETBF - Becker.xls
File size:	303616
MD5:	0d701f8c3fd87eb9f1ff112dd917831e
SHA1:	4f25bbee69dd003073220de14e3d1c4bb2d20c11
SHA256:	bbb844c0d0874ef8c925e61ba1bb094f29fca834d534357208541c866292182a
SHA512:	3772be278535ad0ac434d9153ef0a279ce29c0d4eb812173493823d8be73bb047c380787f33e91863e6ce964454cb255979c68d690b29744c72bcbf4eb55d86c
SSDEEP:	6144:3KxEtjPOtioVjDGUU1qfDlavx+W/IEyDV7peO:KDZpeO
File Content Preview:	........................>.......................O...........................J...K...L...M...N..................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "CRE Cash Flow - ETBF - Becker.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Author:	Employee
Last Saved By:	David G. Schreiber
Last Printed:	2021-03-10 17:03:02
Create Time:	2001-11-08 15:24:39
Last Saved Time:	2021-06-22 15:39:09
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:	Moody National Bank
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.734663754325
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . . . . . M o o d y N a t i o n a l B a n k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C a s h F l o w . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . R e n t
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b0 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 74 00 00 00 0b 00 00 00 7c 00 00 00 10 00 00 00 84 00 00 00 13 00 00 00 8c 00 00 00 16 00 00 00 94 00 00 00 0d 00 00 00 9c 00 00 00 0c 00 00 00 6f 01 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.357653057646
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E m p l o y e e . . . . . . . . . . . . D a v i d G . S c h r e i b e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . g . : . . . . @ . . . . . % { i h . . @ . . . . . . . \| g . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 291814

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	291814
Entropy:	2.95538260784
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D a v i d G . S c h r e i b e r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . x . . . . $ . . 8 . . . . . . . X . @ . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 12 00 00 44 61 76 69 64 20 47 2e 20 53 63 68 72 65 69 62 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 22, 2021 18:18:33.433048964 CEST	53	64344	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:34.153059006 CEST	62060	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:34.210952997 CEST	53	62060	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:34.553158998 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:34.615191936 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:34.980598927 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:35.032383919 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:36.650032043 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:36.709098101 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:37.186050892 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:37.243690968 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:38.002104044 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:38.055351973 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:39.252264023 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:39.313318014 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:45.119653940 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:45.169739008 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:46.282203913 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:46.379468918 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:46.839675903 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:46.902981997 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:46.915709972 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:46.961884022 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:47.859606028 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:47.921515942 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:48.753530979 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:48.806318045 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:48.891717911 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:48.971625090 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:49.545698881 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:49.600014925 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:50.891551971 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:50.953310013 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 22, 2021 18:18:54.939157009 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:18:55.000001907 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:01.896912098 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:01.905400038 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:01.957750082 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:01.968756914 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:08.217483044 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:08.276920080 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:11.117552042 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:11.122605085 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:11.124463081 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:11.173072100 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:11.173866987 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:11.174627066 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:11.241306067 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:11.308921099 CEST	53	57128	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:14.870965004 CEST	54791	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:14.940855026 CEST	53	54791	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:28.852669001 CEST	50463	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:28.913360119 CEST	53	50463	8.8.8.8	192.168.2.5
Jun 22, 2021 18:19:33.995433092 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:19:34.066327095 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 22, 2021 18:20:01.811372995 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:20:01.885734081 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 22, 2021 18:20:06.873049974 CEST	53813	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:20:06.941183090 CEST	53	53813	8.8.8.8	192.168.2.5
Jun 22, 2021 18:20:15.061153889 CEST	63732	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:20:15.129185915 CEST	53	63732	8.8.8.8	192.168.2.5
Jun 22, 2021 18:20:15.609364986 CEST	57344	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:20:15.677145958 CEST	53	57344	8.8.8.8	192.168.2.5
Jun 22, 2021 18:20:16.693604946 CEST	54450	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:20:16.753087044 CEST	53	54450	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 5400 Parent PID: 792

General

Start time:	18:18:44
Start date:	22/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xc50000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >